10341000x80000000000000006696Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623B-5FDA-AA02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006695Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.474{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623B-5FDA-AA02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006694Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.474{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623B-5FDA-AA02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006693Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.333{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623B-5FDA-A902-000000009A01}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006692Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.333{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623B-5FDA-A902-000000009A01}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006691Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.333{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623B-5FDA-A902-000000009A01}4328C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006690Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:35.271{84BF0721-623B-5FDA-A802-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1374-0\System.ServiceModel.ServiceMoniker40.dll2020-12-16 19:38:35.271 10341000x80000000000000006689Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.224{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623B-5FDA-A802-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006688Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.208{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-623B-5FDA-A802-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006687Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.208{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623B-5FDA-A802-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006686Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.177{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623B-5FDA-A702-000000009A01}2460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006685Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.161{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-623B-5FDA-A702-000000009A01}2460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006684Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:35.161{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623B-5FDA-A702-000000009A01}2460C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006683Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:35.083{84BF0721-623A-5FDA-A602-000000009A01}4432C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1150-0\System.ServiceModel.Routing.dll2020-12-16 19:38:35.083 10341000x80000000000000006754Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.943{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-B002-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006753Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.927{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-B002-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006752Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.927{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623C-5FDA-B002-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006751Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.896{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006750Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.896{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006749Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.896{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006748Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-623C-5FDA-AC02-000000009A01}43124632C:\Windows\system32\conhost.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006747Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006746Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006745Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006744Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006743Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006742Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006741Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006740Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006739Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006738Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006737Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-623C-5FDA-AE02-000000009A01}42684124C:\Windows\system32\cmd.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006736Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.810{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-623C-5FDA-2471-180000000000}0x1871240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-623C-5FDA-AE02-000000009A01}4268C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000006735Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-623C-5FDA-AC02-000000009A01}43124632C:\Windows\system32\conhost.exe{84BF0721-623C-5FDA-AE02-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006734Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006733Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006732Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006731Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006730Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006729Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006728Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006727Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006726Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006725Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-AE02-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006724Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.802{84BF0721-623C-5FDA-AB02-000000009A01}46001176C:\Windows\system32\WinrsHost.exe{84BF0721-623C-5FDA-AE02-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000006723Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.801{84BF0721-623C-5FDA-AE02-000000009A01}4268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-623C-5FDA-2471-180000000000}0x1871240HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000006722Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006721Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006720Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006719Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.771{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-AD02-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006718Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.739{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-AD02-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006717Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.739{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623C-5FDA-AD02-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006716Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.693{84BF0721-5F00-5FDA-1400-000000009A01}13242432C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000006715Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006714Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:36.661{84BF0721-623B-5FDA-AA02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b38-0\System.ServiceModel.Web.dll2020-12-16 19:38:36.661 10341000x80000000000000006713Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.396{84BF0721-623C-5FDA-AC02-000000009A01}43124632C:\Windows\system32\conhost.exe{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006712Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-AC02-000000009A01}4312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006711Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006710Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006709Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006708Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006707Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006706Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006705Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006704Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006703Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006702Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006701Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006700Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.371{84BF0721-623C-5FDA-AB02-000000009A01}4600C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-623C-5FDA-2471-180000000000}0x1871240HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000006699Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006698Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006697Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:36.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006791Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006790Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006789Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006788Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.567{84BF0721-623C-5FDA-AC02-000000009A01}43124632C:\Windows\system32\conhost.exe{84BF0721-623D-5FDA-B202-000000009A01}2296C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006787Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006786Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006785Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006784Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006783Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006782Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006781Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006780Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006779Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623D-5FDA-B202-000000009A01}2296C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006778Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006777Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.552{84BF0721-623D-5FDA-B102-000000009A01}37683208C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-623D-5FDA-B202-000000009A01}2296C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7202516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+71546d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6663987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66c1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66972d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a3804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a33f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+66a2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+71546d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6689c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6689222(wow64) 154100x80000000000000006776Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.565{84BF0721-623D-5FDA-B202-000000009A01}2296C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-623C-5FDA-2471-180000000000}0x1871240HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000006775Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.489{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006774Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.489{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006773Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.443{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_by2nvqwk.lkz.ps12020-12-16 19:38:37.443 10341000x80000000000000006772Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.443{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006771Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.380{84BF0721-623C-5FDA-AC02-000000009A01}43124632C:\Windows\system32\conhost.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006770Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006769Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006768Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006767Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006766Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006765Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006764Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006763Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006762Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006761Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006760Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.364{84BF0721-623C-5FDA-AF02-000000009A01}47004040C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dc9cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dc9297(wow64) 154100x80000000000000006759Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.377{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-623C-5FDA-2471-180000000000}0x1871240HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000006758Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.318{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006757Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.318{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006756Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.193{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_u2swppd2.tsc.ps12020-12-16 19:38:37.193 10341000x80000000000000006755Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:37.161{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623C-5FDA-AF02-000000009A01}4700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006820Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.833{84BF0721-5F00-5FDA-1600-000000009A01}15443156C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+2227|C:\Windows\system32\wbem\wbemcore.dll+13f4|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006819Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006818Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.818{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006817Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.818{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006816Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.771{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006815Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.771{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006814Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.771{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1600-000000009A01}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006813Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.568{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B502-000000009A01}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006812Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.536{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623E-5FDA-B502-000000009A01}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006811Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.536{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623E-5FDA-B502-000000009A01}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006810Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006809Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006808Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006807Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.427{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dall+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006806Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.427{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006805Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.396{84BF0721-5F00-5FDA-1600-000000009A01}15444356C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006804Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.396{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006803Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.380{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006802Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.380{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B402-000000009A01}2864C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006801Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006800Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006799Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1600-000000009A01}1544C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006798Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.318{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623E-5FDA-B302-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006797Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.302{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-623E-5FDA-B302-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006796Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.302{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-623E-5FDA-B302-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006795Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006794Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006793Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:38.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000006792Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:38.208{84BF0721-623C-5FDA-B002-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f0c-0\System.Speech.dll2020-12-16 19:38:38.208 10341000x80000000000000006985Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.739{84BF0721-623F-5FDA-B902-000000009A01}50525092C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000006984Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-623F-5FDA-B902-000000009A01}5052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006983Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006982Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006981Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006980Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006979Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006978Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006977Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006976Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006975Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006974Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623F-5FDA-B902-000000009A01}5052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006973Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.599{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623F-5FDA-B902-000000009A01}5052C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006972Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.596{84BF0721-623F-5FDA-B902-000000009A01}5052C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe10.0.14393.3926 (rs1_release.200817-1737)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.3926_none_7ec739a4221e2b99\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=A8CBBA3111CF28435F7E8C8B94EC6FBD,SHA256=D4DDF9F7CB94FE55C7EA1CA90AB9638A883B84308C858EF466554E32FB17EFC3,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000006971Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.568{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006970Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFE-5FDA-0A00-000000009A01}852912C:\Windows\system32\services.exe{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\services.exe+18ff|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006969Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006968Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006967Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006966Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006965Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006964Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006963Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006962Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006961Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006960Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006959Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFE-5FDA-0A00-000000009A01}8522888C:\Windows\system32\services.exe{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+12939|C:\Windows\system32\services.exe+66f4|C:\Windows\system32\services.exe+5154|C:\Windows\system32\services.exe+d7ae|C:\Windows\system32\services.exe+4c6c|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006958Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.554{84BF0721-623F-5FDA-B802-000000009A01}1404C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{84BF0721-5EFE-5FDA-0A00-000000009A01}852C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000006957Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5EFE-5FDA-0A00-000000009A01}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006956Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006955Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006954Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.552{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5EFE-5FDA-0A00-000000009A01}852C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006953Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-623F-5FDA-B702-000000009A01}2644C:\Windows\TEMP\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\dismhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006952Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006951Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006950Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-623F-5FDA-B702-000000009A01}2644C:\Windows\TEMP\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000006949Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006948Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006947Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006946Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006945Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006944Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.224{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006943Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.224{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006942Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}38284372C:\Windows\system32\wbem\wmiprvse.exe{84BF0721-623F-5FDA-B702-000000009A01}2644C:\Windows\TEMP\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\SYSTEM32\Dism\DismCore.dll+271d6|C:\Windows\SYSTEM32\Dism\DismCore.dll+8eaa|C:\Windows\SYSTEM32\Dism\DismCore.dll+58d4|C:\Windows\SYSTEM32\DismApi.DLL+55245|C:\Windows\SYSTEM32\DismApi.DLL+2c42a|C:\Windows\SYSTEM32\DismApi.DLL+25f36|C:\Windows\SYSTEM32\DismApi.DLL+24cdb|C:\Windows\SYSTEM32\DismApi.DLL+2465f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000006941Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:39.237{84BF0721-623F-5FDA-B702-000000009A01}2644C:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DismHost.exe10.0.14393.3241 (rs1_release_inmarket.190910-1801)Dism Host Servicing ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationDismHost.exeC:\Windows\TEMP\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\dismhost.exe {DDE86E2B-35CD-46E7-B256-B59AAC98D470}C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=E8007EB8977E83D29F30A122771C09AA,SHA256=33069F383011494299AD95C20D45929D5FC64C0E4E8441C6425F324B02744A20,IMPHASH=734010D3430DBD2CA51B599924FE1424{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding 11241100x80000000000000006940Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-winsvc-l1-1-0.dll2020-12-16 19:38:39.224 11241100x80000000000000006939Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-private-l1-1-1.dll2020-12-16 19:38:39.224 11241100x80000000000000006938Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-private-l1-1-0.dll2020-12-16 19:38:39.224 11241100x80000000000000006937Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-management-l2-1-0.dll2020-12-16 19:38:39.224 11241100x80000000000000006936Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-management-l1-1-0.dll2020-12-16 19:38:39.224 11241100x80000000000000006935Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-core-l1-1-1.dll2020-12-16 19:38:39.224 11241100x80000000000000006934Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.224{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-service-core-l1-1-0.dll2020-12-16 19:38:39.224 11241100x80000000000000006933Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-security-sddl-l1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006932Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-security-provider-L1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006931Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-security-lsapolicy-l1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006930Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Security-Lsalookup-L2-1-1.dll2020-12-16 19:38:39.208 11241100x80000000000000006929Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Security-Lsalookup-L2-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006928Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-security-cryptoapi-l1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006927Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-security-base-l1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006926Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-EventLog-Legacy-L1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006925Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Eventing-Provider-L1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006924Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.208{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Eventing-Legacy-L1-1-0.dll2020-12-16 19:38:39.208 11241100x80000000000000006923Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Eventing-Controller-L1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006922Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-eventing-consumer-l1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006921Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006920Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-devices-config-L1-1-1.dll2020-12-16 19:38:39.193 11241100x80000000000000006919Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-devices-config-L1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006918Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-xstate-l2-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006917Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-xstate-l1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006916Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-wow64-l1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006915Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-version-l1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006914Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.193{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-util-l1-1-0.dll2020-12-16 19:38:39.193 11241100x80000000000000006913Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-url-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006912Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-timezone-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006911Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-threadpool-private-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006910Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-threadpool-legacy-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006909Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-threadpool-l1-2-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006908Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-sysinfo-l1-2-1.dll2020-12-16 19:38:39.177 11241100x80000000000000006907Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-sysinfo-l1-2-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006906Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-sysinfo-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006905Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-synch-l1-2-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006904Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-synch-l1-1-0.dll2020-12-16 19:38:39.177 11241100x80000000000000006903Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.177{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-stringloader-l1-1-1.dll2020-12-16 19:38:39.177 11241100x80000000000000006902Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-stringansi-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006901Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-string-obsolete-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006900Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-string-l2-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006899Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-string-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006898Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-shutdown-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006897Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006896Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-shlwapi-legacy-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006895Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-rtlsupport-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006894Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-registry-l2-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006893Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-registry-l1-1-0.dll2020-12-16 19:38:39.161 11241100x80000000000000006892Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.161{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-realtime-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006891Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-profile-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006890Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processtopology-obsolete-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006889Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processthreads-l1-1-2.dll2020-12-16 19:38:39.146 11241100x80000000000000006888Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processthreads-l1-1-1.dll2020-12-16 19:38:39.146 11241100x80000000000000006887Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processthreads-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006886Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processenvironment-l1-2-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006885Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-processenvironment-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006884Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-privateprofile-l1-1-1.dll2020-12-16 19:38:39.146 11241100x80000000000000006883Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-privateprofile-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006882Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.146{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-namedpipe-l1-1-0.dll2020-12-16 19:38:39.146 11241100x80000000000000006881Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-memory-l1-1-2.dll2020-12-16 19:38:39.130 11241100x80000000000000006880Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-memory-l1-1-1.dll2020-12-16 19:38:39.130 11241100x80000000000000006879Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-memory-l1-1-0.dll2020-12-16 19:38:39.130 11241100x80000000000000006878Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-localization-obsolete-l1-2-0.dll2020-12-16 19:38:39.130 11241100x80000000000000006877Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-localization-l1-2-1.dll2020-12-16 19:38:39.130 11241100x80000000000000006876Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-localization-l1-2-0.dll2020-12-16 19:38:39.130 11241100x80000000000000006875Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-libraryloader-l1-1-1.dll2020-12-16 19:38:39.130 11241100x80000000000000006874Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-libraryloader-l1-1-0.dll2020-12-16 19:38:39.130 11241100x80000000000000006873Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll2020-12-16 19:38:39.130 11241100x80000000000000006872Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.130{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll2020-12-16 19:38:39.130 11241100x80000000000000006871Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-kernel32-legacy-l1-1-1.dll2020-12-16 19:38:39.114 11241100x80000000000000006870Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-kernel32-legacy-l1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006869Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-io-l1-1-1.dll2020-12-16 19:38:39.114 11241100x80000000000000006868Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-io-l1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006867Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-interlocked-l1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006866Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006865Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-heap-l1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006864Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-handle-l1-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006863Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-file-l2-1-1.dll2020-12-16 19:38:39.114 11241100x80000000000000006862Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.114{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\API-MS-Win-core-file-l2-1-0.dll2020-12-16 19:38:39.114 11241100x80000000000000006861Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-file-l1-2-1.dll2020-12-16 19:38:39.099 11241100x80000000000000006860Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-file-l1-2-0.dll2020-12-16 19:38:39.099 11241100x80000000000000006859Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-file-l1-1-0.dll2020-12-16 19:38:39.099 11241100x80000000000000006858Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-fibers-l1-1-1.dll2020-12-16 19:38:39.099 11241100x80000000000000006857Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-fibers-l1-1-0.dll2020-12-16 19:38:39.099 11241100x80000000000000006856Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-errorhandling-l1-1-1.dll2020-12-16 19:38:39.099 11241100x80000000000000006855Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-errorhandling-l1-1-0.dll2020-12-16 19:38:39.099 11241100x80000000000000006854Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-delayload-l1-1-0.dll2020-12-16 19:38:39.099 11241100x80000000000000006853Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.099{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-debug-l1-1-1.dll2020-12-16 19:38:39.083 11241100x80000000000000006852Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-debug-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006851Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-datetime-l1-1-1.dll2020-12-16 19:38:39.083 11241100x80000000000000006850Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-datetime-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006849Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-console-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006848Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-comm-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006847Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-core-com-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006846Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\api-ms-win-base-util-l1-1-0.dll2020-12-16 19:38:39.083 11241100x80000000000000006845Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\WimProvider.dll2020-12-16 19:38:39.083 11241100x80000000000000006844Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.083{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\VhdProvider.dll2020-12-16 19:38:39.083 11241100x80000000000000006843Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.068{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\UnattendProvider.dll2020-12-16 19:38:39.068 11241100x80000000000000006842Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.068{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\TransmogProvider.dll2020-12-16 19:38:39.068 11241100x80000000000000006841Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.068{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\SmiProvider.dll2020-12-16 19:38:39.068 11241100x80000000000000006840Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.068{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\ProvProvider.dll2020-12-16 19:38:39.068 11241100x80000000000000006839Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.068{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\OSProvider.dll2020-12-16 19:38:39.068 11241100x80000000000000006838Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\OfflineSetupProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006837Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\MsiProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006836Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\LogProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006835Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\IntlProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006834Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\ImagingProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006833Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\IBSProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006832Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\GenericProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006831Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\FolderProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006830Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.052{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\FfuProvider.dll2020-12-16 19:38:39.052 11241100x80000000000000006829Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DmiProvider.dll2020-12-16 19:38:39.005 11241100x80000000000000006828Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DismProv.dll2020-12-16 19:38:39.005 11241100x80000000000000006827Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DismHost.exe2020-12-16 19:38:39.005 11241100x80000000000000006826Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DismCorePS.dll2020-12-16 19:38:39.005 11241100x80000000000000006825Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\DismCore.dll2020-12-16 19:38:39.005 11241100x80000000000000006824Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\CompatProvider.dll2020-12-16 19:38:39.005 11241100x80000000000000006823Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\CbsProvider.dll2020-12-16 19:38:39.005 11241100x80000000000000006822Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:39.005{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\AssocProvider.dll2020-12-16 19:38:39.005 11241100x80000000000000006821Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:38.989{84BF0721-623E-5FDA-B602-000000009A01}3828C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\Temp\3D4195AC-0B9D-4D46-97E4-0EE7E1467DC7\AppxProvider.dll2020-12-16 19:38:38.989 734700x80000000000000006987Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.630{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000006986Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.599{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1fb7a|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+178ce|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007016Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.942{84BF0721-5F00-5FDA-1400-000000009A01}13242432C:\Windows\system32\svchost.exe{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000007015Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007014Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.896{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007013Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.864{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6245-5FDA-BB02-000000009A01}668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007012Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007011Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007010Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007009Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007008Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007007Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007006Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007005Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007004Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007003Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.802{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007002Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007001Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.816{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007000Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.802{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006999Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.802{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006998Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.802{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000006997Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.704{84BF0721-623D-5FDA-B102-000000009A01}3768win-dc-644.attackrange.local0fe80::9576:992b:2b38:834d;::ffff:10.0.1.14;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000006996Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.730{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59169-false10.0.1.14win-dc-644.attackrange.local389ldap 354300x80000000000000006995Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.719{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59168-false10.0.1.14win-dc-644.attackrange.local389ldap 354300x80000000000000006994Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:43.699{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59167-false10.0.1.14win-dc-644.attackrange.local389ldap 10341000x80000000000000006993Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006992Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006991Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006990Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006989Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000006988Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007051Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.724{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_12vpdw0o.031.ps12020-12-16 19:38:46.724 10341000x80000000000000007050Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.708{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000007049Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:45.021{84BF0721-623D-5FDA-B102-000000009A01}3768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-644.attackrange.local59170-true0:0:0:0:0:0:0:1win-dc-644.attackrange.local47001- 10341000x80000000000000007048Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.146{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007047Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.146{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007046Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.146{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007045Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007044Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007043Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007042Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007041Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007040Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007039Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007038Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007037Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007036Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007035Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007034Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-6246-5FDA-BC02-000000009A01}20124216C:\Windows\system32\cmd.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007033Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.061{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6246-5FDA-BC02-000000009A01}2012C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007032Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6246-5FDA-BC02-000000009A01}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007031Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007030Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007029Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007028Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007027Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007026Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007025Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007024Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007023Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6246-5FDA-BC02-000000009A01}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007022Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007021Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.052{84BF0721-6245-5FDA-BA02-000000009A01}50644560C:\Windows\system32\WinrsHost.exe{84BF0721-6246-5FDA-BC02-000000009A01}2012C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000007020Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.054{84BF0721-6246-5FDA-BC02-000000009A01}2012C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000007019Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007018Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007017Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:46.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007102Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:47.989{84BF0721-623E-5FDA-B502-000000009A01}2592C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a20-0\System.Web.dll2020-12-16 19:38:47.989 10341000x80000000000000007101Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.911{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007100Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007099Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007098Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007097Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007096Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007095Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007094Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007093Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007092Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007091Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007090Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.896{84BF0721-6247-5FDA-BE02-000000009A01}33444440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB826B68F) 154100x80000000000000007089Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.875{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bmtvqlzo.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000007088Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.864{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bmtvqlzo.cmdline2020-12-16 19:38:47.864 11241100x80000000000000007087Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:47.864{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\bmtvqlzo.dll2020-12-16 19:38:47.864 10341000x80000000000000007086Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.474{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007085Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.474{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007084Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.474{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007083Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6247-5FDA-BF02-000000009A01}3468C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007082Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007081Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007080Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007079Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007078Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007077Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007076Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007075Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007074Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007073Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6247-5FDA-BF02-000000009A01}3468C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007072Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-6247-5FDA-BE02-000000009A01}33444440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6247-5FDA-BF02-000000009A01}3468C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8d25a7eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fb3f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fb0c6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8d1ac9ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6bbc5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c71a12b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fd790|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fd790|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fd621|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6ef5a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fbad9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fb6cc|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fb3f5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6fb0c6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8d1ac9ab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6e1f27|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+8c6e14f7 154100x80000000000000007071Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.239{84BF0721-6247-5FDA-BF02-000000009A01}3468C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007070Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.177{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007069Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.177{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007068Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.130{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0lqvquqb.aq1.ps12020-12-16 19:38:47.130 10341000x80000000000000007067Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.114{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007066Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007065Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007064Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007063Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007062Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007061Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007060Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007059Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007058Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007057Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007056Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007055Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.083{84BF0721-6246-5FDA-BD02-000000009A01}41763392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+753255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+748471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69939ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69f1e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d5393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69c7318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69d2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+748471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69b9c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+69b9269(wow64) 154100x80000000000000007054Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.092{84BF0721-6247-5FDA-BE02-000000009A01}3344C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007053Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.021{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007052Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:47.021{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6246-5FDA-BD02-000000009A01}4176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007157Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007156Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007155Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007154Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.708{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007153Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007152Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007151Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007150Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007149Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007148Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007147Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007146Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007145Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007144Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007143Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-6248-5FDA-C302-000000009A01}25084424C:\Windows\system32\cmd.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007142Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.701{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6248-5FDA-C302-000000009A01}2508C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007141Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6248-5FDA-C302-000000009A01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007140Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007139Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007138Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007137Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007136Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007135Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007134Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007133Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007132Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007131Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6248-5FDA-C302-000000009A01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007130Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-6245-5FDA-BA02-000000009A01}50644560C:\Windows\system32\WinrsHost.exe{84BF0721-6248-5FDA-C302-000000009A01}2508C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000007129Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.692{84BF0721-6248-5FDA-C302-000000009A01}2508C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-6245-5FDA-BA02-000000009A01}5064C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000007128Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.677{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007127Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.677{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007126Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.677{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007125Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.567{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007124Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.567{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007123Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.567{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007122Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.427{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6248-5FDA-C202-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007121Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.396{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6248-5FDA-C202-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007120Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.396{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6248-5FDA-C202-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007119Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:48.099{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\bmtvqlzo.dll2020-12-16 19:38:47.864 10341000x80000000000000007118Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.099{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007117Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.099{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007116Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.099{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007115Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6248-5FDA-C102-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007114Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007113Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007112Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007111Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007110Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007109Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007108Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007107Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007106Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007105Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6248-5FDA-C102-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007104Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.083{84BF0721-6247-5FDA-C002-000000009A01}30522956C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6248-5FDA-C102-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007103Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:48.093{84BF0721-6248-5FDA-C102-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESF051.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC3EC6CB152E644A44965E877DDD5AEFF.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6247-5FDA-C002-000000009A01}3052C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\bmtvqlzo.cmdline" 10341000x80000000000000007211Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.755{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007210Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.755{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007209Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.755{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007208Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.708{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-CB02-000000009A01}2144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007207Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.692{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-CB02-000000009A01}2144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007206Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.692{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6249-5FDA-CB02-000000009A01}2144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007205Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6249-5FDA-CA02-000000009A01}656C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007204Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007203Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007202Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007201Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007200Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007199Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007198Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007197Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007196Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007195Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-CA02-000000009A01}656C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007194Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.677{84BF0721-6249-5FDA-C902-000000009A01}31361588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6249-5FDA-CA02-000000009A01}656C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4732522(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd312c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd2dfd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+46846e2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3b93993(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bf1e62(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd54c7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd54c7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd5358(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bc72dd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd3810(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd3403(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd312c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bd2dfd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+46846e2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bb9c5e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3bb922e(wow64) 154100x80000000000000007193Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.676{84BF0721-6249-5FDA-CA02-000000009A01}656C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007192Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.614{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007191Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.614{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007190Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.567{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_gzj5nhlo.wjp.ps12020-12-16 19:38:49.567 10341000x80000000000000007189Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007188Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007187Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007186Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007185Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007184Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007183Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007182Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007181Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007180Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007179Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007178Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007177Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.521{84BF0721-6248-5FDA-C402-000000009A01}50605044C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4a1255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+496471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3e739ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3ed1e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb5502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb5393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3ea7318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb3167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3eb2e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+496471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3e99c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3e99269(wow64) 154100x80000000000000007176Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.527{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007175Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.474{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007174Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.474{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007173Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.349{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uimlat0q.byi.ps12020-12-16 19:38:49.349 10341000x80000000000000007172Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.333{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-C802-000000009A01}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007171Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.333{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-C802-000000009A01}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007170Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.333{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6249-5FDA-C802-000000009A01}4364C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007169Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:49.270{84BF0721-6249-5FDA-C702-000000009A01}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\c88-0\System.Web.ApplicationServices.dll2020-12-16 19:38:49.270 10341000x80000000000000007168Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.208{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-C702-000000009A01}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007167Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.192{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-C702-000000009A01}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007166Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.192{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6249-5FDA-C702-000000009A01}3208C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007165Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.146{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-C602-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007164Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.130{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-C602-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007163Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.130{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6249-5FDA-C602-000000009A01}4916C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007162Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:49.067{84BF0721-6249-5FDA-C502-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\ebc-0\System.Web.Abstractions.dll2020-12-16 19:38:49.067 10341000x80000000000000007161Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6248-5FDA-C402-000000009A01}5060C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007160Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6249-5FDA-C502-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007159Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.021{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6249-5FDA-C502-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007158Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:49.021{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6249-5FDA-C502-000000009A01}3772C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007260Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.895{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007259Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.895{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007258Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.895{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007257Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.692{84BF0721-624A-5FDA-CD02-000000009A01}43523204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007256Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624A-5FDA-CD02-000000009A01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007255Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007254Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007253Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007252Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007251Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007250Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007249Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007248Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007247Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007246Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-624A-5FDA-CD02-000000009A01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007245Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.505{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624A-5FDA-CD02-000000009A01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007244Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.366{84BF0721-624A-5FDA-CD02-000000009A01}4352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000007243Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:50.411{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\f51ab2oq.dll2020-12-16 19:38:50.286 10341000x80000000000000007242Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-624A-5FDA-CE02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007241Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007240Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007239Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007238Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007237Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007236Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007235Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007234Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007233Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624A-5FDA-CE02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007232Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007231Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-624A-5FDA-CC02-000000009A01}43164248C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-624A-5FDA-CE02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007230Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.411{84BF0721-624A-5FDA-CE02-000000009A01}5072C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RESF959.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC6977308CD9644C719A89F7334DFE1572.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\f51ab2oq.cmdline" 10341000x80000000000000007229Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007228Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007227Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007226Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-6245-5FDA-BB02-000000009A01}6684992C:\Windows\system32\conhost.exe{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007225Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007224Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007223Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007222Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007221Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007220Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007219Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007218Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007217Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007216Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007215Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-6249-5FDA-C902-000000009A01}31361588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB825B68F) 154100x80000000000000007214Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.304{84BF0721-624A-5FDA-CC02-000000009A01}4316C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\f51ab2oq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6245-5FDA-1A7F-1A0000000000}0x1a7f1a0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000007213Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:50.302{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\f51ab2oq.cmdline2020-12-16 19:38:50.302 11241100x80000000000000007212Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:50.286{84BF0721-6249-5FDA-C902-000000009A01}3136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\f51ab2oq.dll2020-12-16 19:38:50.286 10341000x80000000000000007374Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.942{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D602-000000009A01}3888C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007373Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.942{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007372Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007371Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007370Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007369Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007368Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007367Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007366Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007365Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007364Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D602-000000009A01}3888C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007363Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-624B-5FDA-D402-000000009A01}41564132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624B-5FDA-D602-000000009A01}3888C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c17e7bcb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c887d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c884a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c1739d8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c4903c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0ca750b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c8ab70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c8ab70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c8aa01|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c7c986|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c88eb9|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c88aac|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c887d5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c884a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c1739d8b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c6f307|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+c0c6e8d7 154100x80000000000000007362Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.940{84BF0721-624B-5FDA-D602-000000009A01}3888C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007361Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D502-000000009A01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007360Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007359Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007358Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007357Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007356Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007355Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007354Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007353Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007352Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007351Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D502-000000009A01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007350Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.927{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624B-5FDA-D502-000000009A01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007349Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.788{84BF0721-624B-5FDA-D502-000000009A01}4012C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007348Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.864{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007347Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.864{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007346Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.833{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_hbq4aoo0.1pt.ps12020-12-16 19:38:51.833 10341000x80000000000000007345Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.817{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007344Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007343Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007342Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007341Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007340Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007339Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007338Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007337Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007336Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007335Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007334Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007333Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.786{84BF0721-624B-5FDA-D302-000000009A01}50844136C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4812516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+47646d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3c73987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cd1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3ca72d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb3804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb33f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+47646d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3c99c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3c99222(wow64) 154100x80000000000000007332Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.788{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007331Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.724{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007330Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.724{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007329Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.724{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007328Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.724{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007327Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.724{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007326Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.692{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_4la2lsu3.zwk.ps12020-12-16 19:38:51.692 10341000x80000000000000007325Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.677{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007324Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007323Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007322Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007321Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007320Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007319Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007318Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007317Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007316Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007315Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007314Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007313Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-624B-5FDA-D202-000000009A01}14164616C:\Windows\system32\cmd.exe{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007312Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.642{84BF0721-624B-5FDA-D302-000000009A01}5084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624B-5FDA-D202-000000009A01}1416C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007311Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D202-000000009A01}1416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007310Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007309Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007308Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007307Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007306Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007305Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007304Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007303Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007302Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007301Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D202-000000009A01}1416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007300Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-624B-5FDA-D002-000000009A01}12124324C:\Windows\system32\WinrsHost.exe{84BF0721-624B-5FDA-D202-000000009A01}1416C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000007299Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.634{84BF0721-624B-5FDA-D202-000000009A01}1416C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000007298Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007297Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007296Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007295Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.505{84BF0721-5F00-5FDA-1400-000000009A01}13241700C:\Windows\system32\svchost.exe{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000007294Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.505{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007293Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.489{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007292Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D102-000000009A01}4440C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007291Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007290Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007289Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007288Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007287Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007286Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007285Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007284Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007283Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007282Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007281Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007280Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.458{84BF0721-624B-5FDA-D002-000000009A01}1212C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007279Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007278Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007277Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007276Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624B-5FDA-CF02-000000009A01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007275Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007274Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007273Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007272Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007271Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007270Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007269Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007268Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007267Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007266Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624B-5FDA-CF02-000000009A01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007265Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.192{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624B-5FDA-CF02-000000009A01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007264Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.054{84BF0721-624B-5FDA-CF02-000000009A01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007263Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.005{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007262Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.005{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007261Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:51.005{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007407Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.927{84BF0721-624C-5FDA-D702-000000009A01}40042932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007406Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007405Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007404Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007403Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007402Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007401Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007400Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007399Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007398Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007397Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007396Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007395Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-624B-5FDA-D402-000000009A01}41564132C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB823B68F) 154100x80000000000000007394Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.892{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\byrdcd05.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000007393Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.880{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\byrdcd05.cmdline2020-12-16 19:38:52.880 11241100x80000000000000007392Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:52.880{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\byrdcd05.dll2020-12-16 19:38:52.880 11241100x80000000000000007391Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:52.864{84BF0721-6249-5FDA-CB02-000000009A01}2144C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\860-0\System.Web.DataVisualization.dll2020-12-16 19:38:52.864 10341000x80000000000000007390Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624C-5FDA-D702-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007389Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007388Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007387Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007386Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007385Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007384Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007383Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007382Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007381Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007380Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624C-5FDA-D702-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007379Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.770{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624C-5FDA-D702-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007378Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.632{84BF0721-624C-5FDA-D702-000000009A01}4004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007377Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.583{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007376Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.583{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007375Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.583{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007465Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.599{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624D-5FDA-DE02-000000009A01}3396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007464Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.583{84BF0721-624D-5FDA-DD02-000000009A01}2124824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007463Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.583{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624D-5FDA-DE02-000000009A01}3396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007462Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.583{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-624D-5FDA-DE02-000000009A01}3396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007461Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:53.505{84BF0721-624D-5FDA-DB02-000000009A01}3400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d48-0\System.Web.DataVisualization.Design.dll2020-12-16 19:38:53.505 10341000x80000000000000007460Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624D-5FDA-DD02-000000009A01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007459Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007458Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007457Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007456Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007455Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007454Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007453Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007452Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007451Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007450Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624D-5FDA-DD02-000000009A01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007449Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.411{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624D-5FDA-DD02-000000009A01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007448Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.412{84BF0721-624D-5FDA-DD02-000000009A01}212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007447Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.333{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007446Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.333{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007445Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.286{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0ff0gmch.wm2.ps12020-12-16 19:38:53.286 10341000x80000000000000007444Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.270{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007443Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007442Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007441Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007440Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007439Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007438Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007437Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007436Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007435Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007434Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007433Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007432Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.239{84BF0721-624B-5FDA-D402-000000009A01}41564600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFEB7FC88B0) 154100x80000000000000007431Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.243{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624B-5FDA-D402-000000009A01}4156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007430Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624D-5FDA-DB02-000000009A01}3400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007429Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007428Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007427Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007426Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.177{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624D-5FDA-DB02-000000009A01}3400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007425Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.177{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-624D-5FDA-DB02-000000009A01}3400C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007424Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624D-5FDA-DA02-000000009A01}4412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007423Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.020{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624D-5FDA-DA02-000000009A01}4412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007422Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:53.020{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-624D-5FDA-DA02-000000009A01}4412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007421Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:53.005{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\byrdcd05.dll2020-12-16 19:38:52.880 10341000x80000000000000007420Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624C-5FDA-D902-000000009A01}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007419Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007418Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007417Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007416Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007415Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007414Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007413Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007412Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007411Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007410Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624C-5FDA-D902-000000009A01}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007409Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.989{84BF0721-624C-5FDA-D802-000000009A01}48164312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-624C-5FDA-D902-000000009A01}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007408Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:52.998{84BF0721-624C-5FDA-D902-000000009A01}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES37B.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC60385BCFB524587A667C9C07EC9C1E1.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-624C-5FDA-D802-000000009A01}4816C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\byrdcd05.cmdline" 10341000x80000000000000007500Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.989{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007499Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.989{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007498Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.989{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007497Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.364{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624E-5FDA-E102-000000009A01}1412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007496Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.349{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624E-5FDA-E102-000000009A01}1412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007495Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.349{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-624E-5FDA-E102-000000009A01}1412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007494Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:54.317{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\zyqnfaxf.dll2020-12-16 19:38:54.177 10341000x80000000000000007493Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624E-5FDA-E002-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007492Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007491Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007490Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007489Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007488Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007487Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007486Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007485Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007484Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007483Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-624E-5FDA-E002-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007482Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.302{84BF0721-624E-5FDA-DF02-000000009A01}28725008C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-624E-5FDA-E002-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007481Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.306{84BF0721-624E-5FDA-E002-000000009A01}2620C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES89B.tmp" "c:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\CSCAB1581382EF341A2BBBB46D3DE9489F.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\zyqnfaxf.cmdline" 10341000x80000000000000007480Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-624B-5FDA-D102-000000009A01}44403232C:\Windows\system32\conhost.exe{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007479Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007478Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007477Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007476Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007475Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007474Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007473Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007472Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007471Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007470Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007469Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.177{84BF0721-624D-5FDA-DC02-000000009A01}24884352C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+bc70771e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+bc70771e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cd7347(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+47646d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3c73987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cd1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3cb54bb(wow64) 154100x80000000000000007468Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.192{84BF0721-624E-5FDA-DF02-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\zyqnfaxf.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624B-5FDA-C743-1B0000000000}0x1b43c70HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABHAGUAdAAtAFAAYQBjAGsAYQBnAGUAUAByAG8AdgBpAGQAZQByAA== 11241100x80000000000000007467Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.177{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\zyqnfaxf.cmdline2020-12-16 19:38:54.177 11241100x80000000000000007466Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:54.177{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\zyqnfaxf\zyqnfaxf.dll2020-12-16 19:38:54.177 10341000x80000000000000007606Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E902-000000009A01}224C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007605Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007604Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007603Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007602Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007601Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007600Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007599Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007598Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007597Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007596Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.974{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E902-000000009A01}224C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007595Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.974{84BF0721-624F-5FDA-E702-000000009A01}48764012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624F-5FDA-E902-000000009A01}224C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+507258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4513195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4512e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4fc474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+44d39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4531ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+45153c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4507346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4513879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+451346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4513195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4512e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4fc474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+44f9cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+44f9297(wow64) 154100x80000000000000007594Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.988{84BF0721-624F-5FDA-E902-000000009A01}224C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007593Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.974{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E802-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007592Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.958{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E802-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007591Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.958{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-624F-5FDA-E802-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007590Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E602-000000009A01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007589Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007588Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007587Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007586Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007585Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007584Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007583Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007582Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007581Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007580Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E602-000000009A01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007579Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.927{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-624F-5FDA-E602-000000009A01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007578Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.788{84BF0721-624F-5FDA-E602-000000009A01}4548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007577Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.911{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007576Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.911{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007575Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.880{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_b3mgbhkx.fyx.ps12020-12-16 19:38:55.880 10341000x80000000000000007574Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007573Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.833{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007572Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007571Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007570Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007569Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007568Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007567Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007566Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007565Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007564Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007563Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007562Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.817{84BF0721-624F-5FDA-E502-000000009A01}48242768C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4932516(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+48846d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3d93987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3df1e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd54bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd534c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dc72d1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd3804(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd33f7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd3120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3dd2df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+48846d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3db9c52(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+3db9222(wow64) 154100x80000000000000007561Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.831{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 11241100x80000000000000007560Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:55.817{84BF0721-624E-5FDA-E102-000000009A01}1412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\584-0\System.Web.Extensions.dll2020-12-16 19:38:55.817 10341000x80000000000000007559Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007558Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007557Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007556Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007555Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.755{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007554Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.724{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dxjrgfjb.0iw.ps12020-12-16 19:38:55.724 10341000x80000000000000007553Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.708{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000007552Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:54.018{84BF0721-624D-5FDA-DC02-000000009A01}2488C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59174-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 10341000x80000000000000007551Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007550Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007549Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007548Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007547Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007546Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007545Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007544Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007543Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007542Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007541Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007540Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-624F-5FDA-E402-000000009A01}47483016C:\Windows\system32\cmd.exe{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007539Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.680{84BF0721-624F-5FDA-E502-000000009A01}4824C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624F-5FDA-E402-000000009A01}4748C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007538Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.677{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E402-000000009A01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007537Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007536Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007535Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007534Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007533Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007532Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007531Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007530Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007529Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007528Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E402-000000009A01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007527Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-624F-5FDA-E202-000000009A01}46923804C:\Windows\system32\WinrsHost.exe{84BF0721-624F-5FDA-E402-000000009A01}4748C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000007526Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.673{84BF0721-624F-5FDA-E402-000000009A01}4748C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000007525Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007524Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007523Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.661{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007522Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.567{84BF0721-5F00-5FDA-1400-000000009A01}13241700C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000007521Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.552{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007520Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.536{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007519Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.536{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E302-000000009A01}3796C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007518Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007517Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007516Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007515Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007514Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007513Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007512Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007511Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007510Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007509Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007508Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007507Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.532{84BF0721-624F-5FDA-E202-000000009A01}4692C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007506Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007505Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007504Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.520{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007503Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.083{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007502Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.083{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007501Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:55.083{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007646Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:56.989{84BF0721-6250-5FDA-EC02-000000009A01}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f9c-0\System.Web.DynamicData.Design.dll2020-12-16 19:38:56.989 10341000x80000000000000007645Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007644Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007643Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007642Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007641Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007640Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007639Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007638Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007637Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007636Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007635Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007634Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-624F-5FDA-E702-000000009A01}48764012C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB825B68F) 154100x80000000000000007633Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.922{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ajl5oi1e.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000007632Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.911{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ajl5oi1e.cmdline2020-12-16 19:38:56.911 11241100x80000000000000007631Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:56.911{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ajl5oi1e.dll2020-12-16 19:38:56.911 10341000x80000000000000007630Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6250-5FDA-EC02-000000009A01}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007629Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.817{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6250-5FDA-EC02-000000009A01}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007628Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.817{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6250-5FDA-EC02-000000009A01}3996C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007627Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.786{84BF0721-6250-5FDA-EA02-000000009A01}23962476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007626Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.677{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6250-5FDA-EB02-000000009A01}3484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007625Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.661{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6250-5FDA-EB02-000000009A01}3484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007624Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.661{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6250-5FDA-EB02-000000009A01}3484C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007623Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6250-5FDA-EA02-000000009A01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007622Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007621Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007620Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007619Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007618Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007617Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007616Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007615Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007614Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007613Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007612Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007611Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6250-5FDA-EA02-000000009A01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007610Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6250-5FDA-EA02-000000009A01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007609Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.476{84BF0721-6250-5FDA-EA02-000000009A01}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000007608Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:56.614{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007607Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:56.583{84BF0721-624F-5FDA-E802-000000009A01}3888C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\f30-0\System.Web.DynamicData.dll2020-12-16 19:38:56.583 10341000x80000000000000007693Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.770{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6251-5FDA-F302-000000009A01}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007692Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.755{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-F302-000000009A01}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007691Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.755{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6251-5FDA-F302-000000009A01}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007690Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6251-5FDA-F202-000000009A01}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007689Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.614{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-F202-000000009A01}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007688Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.614{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6251-5FDA-F202-000000009A01}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007687Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:57.536{84BF0721-6251-5FDA-F002-000000009A01}1044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\414-0\System.Web.Entity.dll2020-12-16 19:38:57.536 10341000x80000000000000007686Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007685Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007684Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.317{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_eruy5r4e.313.ps12020-12-16 19:38:57.317 10341000x80000000000000007683Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.302{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007682Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007681Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007680Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007679Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007678Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007677Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007676Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007675Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007674Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007673Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007672Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007671Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.270{84BF0721-624F-5FDA-E702-000000009A01}48761144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFEB7FE88B0) 154100x80000000000000007670Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.281{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUAC:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-624F-5FDA-E702-000000009A01}4876C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007669Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.208{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007668Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.208{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007667Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.208{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007666Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6251-5FDA-F002-000000009A01}1044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007665Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.177{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-F002-000000009A01}1044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007664Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.177{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6251-5FDA-F002-000000009A01}1044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007663Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.052{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6251-5FDA-EF02-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007662Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.036{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-EF02-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007661Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.036{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6251-5FDA-EF02-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007660Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:57.036{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ajl5oi1e.dll2020-12-16 19:38:56.911 10341000x80000000000000007659Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-6251-5FDA-EE02-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007658Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007657Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007656Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007655Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007654Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007653Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007652Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007651Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007650Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007649Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6251-5FDA-EE02-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007648Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.020{84BF0721-6250-5FDA-ED02-000000009A01}6684992C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6251-5FDA-EE02-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007647Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.027{84BF0721-6251-5FDA-EE02-000000009A01}3044C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES133A.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC373DE930F027432FAF12F9AC2F77716.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6250-5FDA-ED02-000000009A01}668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\ajl5oi1e.cmdline" 10341000x80000000000000007732Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.630{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6252-5FDA-F802-000000009A01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007731Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.614{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6252-5FDA-F802-000000009A01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007730Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.614{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6252-5FDA-F802-000000009A01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007729Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6252-5FDA-F702-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007728Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.348{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6252-5FDA-F702-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007727Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.348{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6252-5FDA-F702-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007726Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.177{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6252-5FDA-F602-000000009A01}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007725Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.161{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6252-5FDA-F602-000000009A01}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007724Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.161{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6252-5FDA-F602-000000009A01}4596C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007723Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:58.099{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\ycbiv0xe.dll2020-12-16 19:38:58.005 11241100x80000000000000007722Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:58.099{84BF0721-6251-5FDA-F302-000000009A01}2564C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\a04-0\System.Web.Entity.Design.dll2020-12-16 19:38:58.099 10341000x80000000000000007721Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.099{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-6252-5FDA-F502-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007720Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.099{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007719Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.099{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007718Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007717Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007716Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007715Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007714Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007713Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007712Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6252-5FDA-F502-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007711Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007710Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.083{84BF0721-6252-5FDA-F402-000000009A01}38004528C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6252-5FDA-F502-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007709Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.097{84BF0721-6252-5FDA-F502-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES1761.tmp" "c:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\CSC13A71D3174F4BA2815B03BC4D0AE7.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\ycbiv0xe.cmdline" 10341000x80000000000000007708Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-624F-5FDA-E302-000000009A01}37963204C:\Windows\system32\conhost.exe{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007707Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007706Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007705Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007704Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007703Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007702Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007701Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007700Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007699Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007698Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007697Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-6251-5FDA-F102-000000009A01}46003312C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffb6fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+45373bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4513195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4512e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4fc474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+44d39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4531ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4515530(wow64) 154100x80000000000000007696Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.013{84BF0721-6252-5FDA-F402-000000009A01}3800C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\ycbiv0xe.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-624F-5FDA-01EB-1B0000000000}0x1beb010HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG4AcwB0AGEAbABsAC0AUABhAGMAawBhAGcAZQBQAHIAbwB2AGkAZABlAHIAIAAtAE4AYQBtAGUAIABOAHUARwBlAHQAIAAtAE0AaQBuAGkAbQB1AG0AVgBlAHIAcwBpAG8AbgAgADIALgA4AC4ANQAuADIAMAAxACAALQBGAG8AcgBjAGUA 11241100x80000000000000007695Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.005{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\ycbiv0xe.cmdline2020-12-16 19:38:58.005 11241100x80000000000000007694Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:58.005{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\ycbiv0xe\ycbiv0xe.dll2020-12-16 19:38:58.005 10341000x80000000000000007744Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.958{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007743Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.958{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007742Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.942{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000007741Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:57.916{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59175-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 10341000x80000000000000007740Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6253-5FDA-FA02-000000009A01}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007739Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.645{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6253-5FDA-FA02-000000009A01}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007738Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.645{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6253-5FDA-FA02-000000009A01}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007737Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:59.520{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Program Files\PackageManagement\ProviderAssemblies\nuget\2.8.5.208\Microsoft.PackageManagement.NuGetProvider.dll2020-12-16 19:38:59.520 10341000x80000000000000007736Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6253-5FDA-F902-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007735Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.348{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6253-5FDA-F902-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007734Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.348{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6253-5FDA-F902-000000009A01}4132C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007733Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:38:59.270{84BF0721-6252-5FDA-F802-000000009A01}4204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\106c-0\System.Web.Extensions.Design.dll2020-12-16 19:38:59.270 10341000x80000000000000007834Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6254-5FDA-0003-000000009A01}220C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007833Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007832Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007831Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007830Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007829Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007828Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007827Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007826Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007825Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007824Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.958{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-0003-000000009A01}220C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007823Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.942{84BF0721-6254-5FDA-FF02-000000009A01}24444320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6254-5FDA-0003-000000009A01}220C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|UNKNOWN(00007FFF055F258B)|UNKNOWN(00007FFF04A93195)|UNKNOWN(00007FFF04A92E66)|UNKNOWN(00007FFF0554474B)|UNKNOWN(00007FFF04A539FC)|UNKNOWN(00007FFF04AB1ECB)|UNKNOWN(00007FFF04A95530)|UNKNOWN(00007FFF04A95530)|UNKNOWN(00007FFF04A953C1)|UNKNOWN(00007FFF04A87346)|UNKNOWN(00007FFF04A93879)|UNKNOWN(00007FFF04A9346C)|UNKNOWN(00007FFF04A93195)|UNKNOWN(00007FFF04A92E66)|UNKNOWN(00007FFF0554474B)|UNKNOWN(00007FFF04A79CC7)|UNKNOWN(00007FFF04A79297) 154100x80000000000000007822Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.957{84BF0721-6254-5FDA-0003-000000009A01}220C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 354300x80000000000000007821Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.041{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59177-false72.21.81.200-443https 354300x80000000000000007820Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:58.990{84BF0721-6251-5FDA-F102-000000009A01}4600C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59176-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 10341000x80000000000000007819Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.895{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007818Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.895{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007817Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.848{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_1kacucgy.avk.ps12020-12-16 19:39:00.848 10341000x80000000000000007816Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.833{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007815Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007814Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007813Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007812Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007811Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007810Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007809Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007808Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007807Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007806Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007805Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007804Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.802{84BF0721-6254-5FDA-FE02-000000009A01}43564440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+51e255d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4683167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4682e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+513471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+46439ce(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+46a1e9d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4685502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4685502(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4685393(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4677318(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+468384b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+468343e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4683167(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4682e38(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+513471d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4669c99(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4669269(wow64) 154100x80000000000000007803Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.806{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007802Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007801Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007800Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.770{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007799Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.739{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007798Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.739{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007797Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.692{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_qcjh2hq3.ieu.ps12020-12-16 19:39:00.692 10341000x80000000000000007796Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.692{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007795Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007794Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007793Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007792Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007791Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007790Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007789Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007788Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007787Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007786Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007785Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007784Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-6254-5FDA-FD02-000000009A01}34844988C:\Windows\system32\cmd.exe{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007783Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.653{84BF0721-6254-5FDA-FE02-000000009A01}4356C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6254-5FDA-FD02-000000009A01}3484C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000007782Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6254-5FDA-FD02-000000009A01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007781Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007780Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007779Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007778Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007777Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007776Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007775Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007774Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007773Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007772Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-FD02-000000009A01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007771Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.645{84BF0721-6254-5FDA-FB02-000000009A01}14924648C:\Windows\system32\WinrsHost.exe{84BF0721-6254-5FDA-FD02-000000009A01}3484C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000007770Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.646{84BF0721-6254-5FDA-FD02-000000009A01}3484C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000007769Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007768Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007767Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007766Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.536{84BF0721-5F00-5FDA-1400-000000009A01}13241700C:\Windows\system32\svchost.exe{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000007765Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.520{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007764Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.505{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007763Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.505{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-FC02-000000009A01}3220C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007762Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.505{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007761Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.505{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007760Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007759Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007758Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007757Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007756Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007755Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007754Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007753Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007752Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007751Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.503{84BF0721-6254-5FDA-FB02-000000009A01}1492C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000007750Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007749Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007748Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.489{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007747Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.052{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007746Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.052{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007745Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:00.052{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007868Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:01.942{84BF0721-6255-5FDA-0403-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1068-0\System.Web.Routing.dll2020-12-16 19:39:01.942 10341000x80000000000000007867Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.942{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007866Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.942{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007865Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.942{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007864Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007863Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007862Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007861Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007860Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007859Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007858Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007857Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007856Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-6254-5FDA-FF02-000000009A01}24444320C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB824B68F) 154100x80000000000000007855Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.941{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\cct24bo5.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000007854Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.927{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\cct24bo5.cmdline2020-12-16 19:39:01.927 11241100x80000000000000007853Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:01.927{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\cct24bo5.dll2020-12-16 19:39:01.927 10341000x80000000000000007852Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.911{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6255-5FDA-0403-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007851Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.911{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6255-5FDA-0403-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007850Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.911{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6255-5FDA-0403-000000009A01}4200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000007849Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:38:59.034{84BF0721-6251-5FDA-F102-000000009A01}4600onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000007848Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.755{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6255-5FDA-0303-000000009A01}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007847Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.739{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6255-5FDA-0303-000000009A01}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007846Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.739{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6255-5FDA-0303-000000009A01}4628C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007845Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:01.677{84BF0721-6255-5FDA-0203-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\da4-0\System.Web.RegularExpressions.dll2020-12-16 19:39:01.677 10341000x80000000000000007844Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007843Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007842Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.630{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007841Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.442{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6255-5FDA-0203-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007840Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.427{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6255-5FDA-0203-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007839Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.427{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6255-5FDA-0203-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007838Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.380{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6255-5FDA-0103-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007837Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.380{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6255-5FDA-0103-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007836Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.380{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6255-5FDA-0103-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007835Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:01.255{84BF0721-6253-5FDA-FA02-000000009A01}4324C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10e4-0\System.Web.Mobile.dll2020-12-16 19:39:01.255 10341000x80000000000000007908Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.583{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6256-5FDA-0903-000000009A01}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007907Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.567{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6256-5FDA-0903-000000009A01}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007906Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.567{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6256-5FDA-0903-000000009A01}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007905Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007904Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.364{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007903Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5cqgktsx.dor.ps12020-12-16 19:39:02.333 10341000x80000000000000007902Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.317{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007901Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007900Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007899Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007898Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007897Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007896Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007895Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007894Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007893Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007892Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007891Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.286{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007890Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.270{84BF0721-6254-5FDA-FF02-000000009A01}24444128C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFEB7FD88B0) 154100x80000000000000007889Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.285{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6254-5FDA-FF02-000000009A01}2444C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000007888Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007887Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007886Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.255{84BF0721-5EFE-5FDA-0B00-000000009A01}860900C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007885Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:02.052{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\cct24bo5.dll2020-12-16 19:39:01.927 10341000x80000000000000007884Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6256-5FDA-0703-000000009A01}3744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007883Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007882Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007881Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007880Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007879Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007878Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007877Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007876Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007875Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007874Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6256-5FDA-0703-000000009A01}3744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007873Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.036{84BF0721-6255-5FDA-0503-000000009A01}24922940C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6256-5FDA-0703-000000009A01}3744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007872Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.043{84BF0721-6256-5FDA-0703-000000009A01}3744C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES26D2.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCEA8189EB4A9841FDA02323B03EA6CCB8.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6255-5FDA-0503-000000009A01}2492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\cct24bo5.cmdline" 10341000x80000000000000007871Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.005{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6256-5FDA-0603-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007870Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.989{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6256-5FDA-0603-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007869Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:01.989{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6256-5FDA-0603-000000009A01}2868C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007912Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:03.942{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6257-5FDA-0A03-000000009A01}4876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007911Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:03.927{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6257-5FDA-0A03-000000009A01}4876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007910Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:03.927{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6257-5FDA-0A03-000000009A01}4876C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007909Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:03.833{84BF0721-6256-5FDA-0903-000000009A01}2436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\984-0\System.Windows.Controls.Ribbon.dll2020-12-16 19:39:03.833 22542200x80000000000000007916Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.648{84BF0721-6256-5FDA-0803-000000009A01}5076raw.githubusercontent.com0type: 5 github.map.fastly.net;::ffff:151.101.52.133;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000007915Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.130{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6258-5FDA-0B03-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007914Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.114{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6258-5FDA-0B03-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007913Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.114{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6258-5FDA-0B03-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007967Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:05.661{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\z0ayctoz\z0ayctoz.dll2020-12-16 19:39:05.567 10341000x80000000000000007966Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6259-5FDA-0D03-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007965Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007964Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007963Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007962Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007961Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007960Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007959Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007958Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007957Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6259-5FDA-0D03-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007956Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007955Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.645{84BF0721-6259-5FDA-0C03-000000009A01}49803140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6259-5FDA-0D03-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000007954Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.656{84BF0721-6259-5FDA-0D03-000000009A01}4220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES34EB.tmp" "c:\Users\Administrator\AppData\Local\Temp\z0ayctoz\CSC3C2AE3F5AA64429B86F96A9757D7E93.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\z0ayctoz\z0ayctoz.cmdline" 10341000x80000000000000007953Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-6254-5FDA-FC02-000000009A01}32201588C:\Windows\system32\conhost.exe{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007952Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007951Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007950Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007949Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007948Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007947Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007946Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007945Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007944Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007943Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007942Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-6256-5FDA-0803-000000009A01}50761180C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffca20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffca20(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4377347(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4353120(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4352df1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4e046d6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4313987(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+4371e56(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+43554bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+43554bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+43554bb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+43554bb(wow64) 154100x80000000000000007941Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.576{84BF0721-6259-5FDA-0C03-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\z0ayctoz\z0ayctoz.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6254-5FDA-01D6-1C0000000000}0x1cd6010HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABTAGUAdAAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAEkAbgB0AGUAcgBuAGUAdAAgAEUAeABwAGwAbwByAGUAcgBcAE0AYQBpAG4AIgAgAC0ATgBhAG0AZQAgACIARABpAHMAYQBiAGwAZQBGAGkAcgBzAHQAUgB1AG4AQwB1AHMAdABvAG0AaQB6AGUAIgAgAC0AVgBhAGwAdQBlACAAMgAKAEkARQBYACAAKABJAFcAUgAgAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcgBlAGQAYwBhAG4AYQByAHkAYwBvAC8AaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAC8AbQBhAHMAdABlAHIALwBpAG4AcwB0AGEAbABsAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAuAHAAcwAxACkACgBJAG4AcwB0AGEAbABsAC0AQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQAgAC0ARgBvAHIAYwBlAAoASQBFAFgAIAAoAEkAVwBSACAAJwBoAHQAdABwAHMAOgAvAC8AcgBhAHcALgBnAGkAdABoAHUAYgB1AHMAZQByAGMAbwBuAHQAZQBuAHQALgBjAG8AbQAvAHIAZQBkAGMAYQBuAGEAcgB5AGMAbwAvAGkAbgB2AG8AawBlAC0AYQB0AG8AbQBpAGMAcgBlAGQAdABlAGEAbQAvAG0AYQBzAHQAZQByAC8AaQBuAHMAdABhAGwAbAAtAGEAdABvAG0AaQBjAHMAZgBvAGwAZABlAHIALgBwAHMAMQAnACAALQBVAHMAZQBCAGEAcwBpAGMAUABhAHIAcwBpAG4AZwApAAoASQBuAHMAdABhAGwAbAAtAEEAdABvAG0AaQBjAHMARgBvAGwAZABlAHIAIAAtAEYAbwByAGMAZQAgAC0AUgBlAHAAbwBPAHcAbgBlAHIAIAAiAHMAcABsAHUAbgBrACIAIAAtAEIAcgBhAG4AYwBoACAAIgBsAG8AYwBhAGwALQBtAGEAcwB0AGUAcgAiAA== 11241100x80000000000000007940Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\z0ayctoz\z0ayctoz.cmdline2020-12-16 19:39:05.567 11241100x80000000000000007939Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:05.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\z0ayctoz\z0ayctoz.dll2020-12-16 19:39:05.567 11241100x80000000000000007938Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.348{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicsfolder.ps12020-12-16 19:39:05.348 11241100x80000000000000007937Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.348{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\install-atomicredteam.ps12020-12-16 19:39:05.348 11241100x80000000000000007936Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Start-AtomicGUI.ps12020-12-16 19:39:05.333 11241100x80000000000000007935Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\New-Atomic.ps12020-12-16 19:39:05.333 11241100x80000000000000007934Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-WebRequestVerifyHash.ps12020-12-16 19:39:05.333 11241100x80000000000000007933Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-MalDoc.ps12020-12-16 19:39:05.333 11241100x80000000000000007932Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Invoke-AtomicTest.ps12020-12-16 19:39:05.333 11241100x80000000000000007931Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Public\Get-AtomicTechnique.ps12020-12-16 19:39:05.333 11241100x80000000000000007930Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-PrereqResults.ps12020-12-16 19:39:05.333 11241100x80000000000000007929Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.333{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-KeyValue.ps12020-12-16 19:39:05.333 11241100x80000000000000007928Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Write-ExecutionLog.ps12020-12-16 19:39:05.317 11241100x80000000000000007927Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Show-Details.ps12020-12-16 19:39:05.317 11241100x80000000000000007926Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Replace-InputArgs.ps12020-12-16 19:39:05.317 11241100x80000000000000007925Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-Process.ps12020-12-16 19:39:05.317 11241100x80000000000000007924Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-KillProcessTree.ps12020-12-16 19:39:05.317 11241100x80000000000000007923Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-ExecuteCommand.ps12020-12-16 19:39:05.317 11241100x80000000000000007922Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Invoke-CheckPrereqs.ps12020-12-16 19:39:05.317 11241100x80000000000000007921Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-TargetInfo.ps12020-12-16 19:39:05.317 11241100x80000000000000007920Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\Get-PrereqExecutor.ps12020-12-16 19:39:05.317 11241100x80000000000000007919Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\Private\AtomicClassSchema.ps12020-12-16 19:39:05.302 11241100x80000000000000007918Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:05.302{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\invoke-atomicredteam-master\LICENSE.txt2020-12-16 19:39:05.302 354300x80000000000000007917Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:02.657{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59179-false151.101.52.133-443https 22542200x80000000000000007970Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.830{84BF0721-6256-5FDA-0803-000000009A01}5076codeload.github.com0::ffff:192.30.255.121;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 22542200x80000000000000007969Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.652{84BF0721-6256-5FDA-0803-000000009A01}5076github.com0::ffff:192.30.255.113;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000007968Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.659{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59180-false192.30.255.113lb-192-30-255-113-sea.github.com443https 10341000x80000000000000007984Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.926{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625B-5FDA-1003-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007983Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.911{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-625B-5FDA-1003-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007982Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.911{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625B-5FDA-1003-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007981Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:07.848{84BF0721-625B-5FDA-0F03-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12d8-0\System.Windows.Forms.DataVisualization.Design.dll2020-12-16 19:39:07.848 10341000x80000000000000007980Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.598{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625B-5FDA-0F03-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007979Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.583{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-625B-5FDA-0F03-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007978Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.583{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625B-5FDA-0F03-000000009A01}4824C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007977Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.458{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625B-5FDA-0E03-000000009A01}4668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007976Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.442{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-625B-5FDA-0E03-000000009A01}4668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007975Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:07.442{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625B-5FDA-0E03-000000009A01}4668C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x80000000000000007974Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:06.251{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59184-false72.21.81.200-443https 354300x80000000000000007973Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:06.213{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59183-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 354300x80000000000000007972Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:04.838{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59181-false192.30.255.121lb-192-30-255-121-sea.github.com443https 11241100x80000000000000007971Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:07.286{84BF0721-6258-5FDA-0B03-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1254-0\System.Windows.Forms.DataVisualization.dll2020-12-16 19:39:07.286 10341000x80000000000000008007Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.926{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625C-5FDA-1503-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008006Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.926{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-625C-5FDA-1503-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008005Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.926{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625C-5FDA-1503-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000008004Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:06.244{84BF0721-6256-5FDA-0803-000000009A01}5076onegetcdn.azureedge.net0type: 5 onegetcdn.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000008003Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.551{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625C-5FDA-1403-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008002Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.536{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-625C-5FDA-1403-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008001Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.536{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625C-5FDA-1403-000000009A01}1968C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008000Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:08.473{84BF0721-625C-5FDA-1303-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\da4-0\System.Windows.Presentation.dll2020-12-16 19:39:08.473 10341000x80000000000000007999Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.395{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625C-5FDA-1303-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007998Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.380{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-625C-5FDA-1303-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007997Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.380{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625C-5FDA-1303-000000009A01}3492C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007996Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.317{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625C-5FDA-1203-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x80000000000000007995Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-SetValue2020-12-16 19:39:08.317{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000007994Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-SetValue2020-12-16 19:39:08.317{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000d3f5b) 13241300x80000000000000007993Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-SetValue2020-12-16 19:39:08.317{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d6d3da-0xbccdd9a3) 13241300x80000000000000007992Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-SetValue2020-12-16 19:39:08.317{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d6d3e3-0x1e9241a3) 13241300x80000000000000007991Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-SetValue2020-12-16 19:39:08.317{84BF0721-5EFE-5FDA-0B00-000000009A01}860C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d6d3eb-0x8056a9a3) 10341000x80000000000000007990Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.317{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-625C-5FDA-1203-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007989Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.317{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625C-5FDA-1203-000000009A01}2396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000007988Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:08.255{84BF0721-625C-5FDA-1103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12d4-0\System.Windows.Input.Manipulations.dll2020-12-16 19:39:08.255 10341000x80000000000000007987Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.051{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625C-5FDA-1103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000007986Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.036{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-625C-5FDA-1103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000007985Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.036{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625C-5FDA-1103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x80000000000000008010Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.222{84BF0721-6256-5FDA-0803-000000009A01}5076www.powershellgallery.com0type: 5 powershellgallerytrafficmanager.trafficmanager.net;type: 5 psg-prod-centralus.cloudapp.net;::ffff:168.61.186.235;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 354300x80000000000000008009Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.276{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59186-false168.61.186.235-443https 354300x80000000000000008008Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.112{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59185-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 11241100x80000000000000008015Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:10.926{84BF0721-625C-5FDA-1503-000000009A01}4688C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1250-0\System.Workflow.Activities.dll2020-12-16 19:39:10.926 354300x80000000000000008014Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.849{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59190-false168.61.186.235-443https 354300x80000000000000008013Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.762{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59189-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 354300x80000000000000008012Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59188-false168.61.186.235-443https 354300x80000000000000008011Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:08.499{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59187-false69.192.193.125a69-192-193-125.deploy.static.akamaitechnologies.com443https 354300x80000000000000008023Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:09.925{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59192-false168.61.186.235-443https 354300x80000000000000008022Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:09.483{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59191-false168.61.186.235-443https 10341000x80000000000000008021Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.208{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625F-5FDA-1703-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008020Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.192{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-625F-5FDA-1703-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008019Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.192{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625F-5FDA-1703-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008018Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.067{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-625F-5FDA-1603-000000009A01}4000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008017Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.051{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-625F-5FDA-1603-000000009A01}4000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008016Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.051{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-625F-5FDA-1603-000000009A01}4000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008040Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.692{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Load-Assemblies.ps12020-12-16 19:39:12.692 11241100x80000000000000008039Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.692{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\Tests\powershell-yaml.Tests.ps12020-12-16 19:39:12.692 11241100x80000000000000008038Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.676{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\netstandard1.3\YamlDotNet.dll2020-12-16 19:39:12.676 11241100x80000000000000008037Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.676{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net45\YamlDotNet.dll2020-12-16 19:39:12.676 11241100x80000000000000008036Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.676{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\Documents\WindowsPowerShell\Modules\powershell-yaml\0.4.2\lib\net35\YamlDotNet.dll2020-12-16 19:39:12.676 354300x80000000000000008035Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:11.026{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59195-false168.61.186.235-443https 354300x80000000000000008034Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:10.552{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59194-false168.61.186.235-443https 11241100x80000000000000008033Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.098{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1577110288\powershell-yaml\Tests\powershell-yaml.Tests.ps12020-12-16 19:39:12.098 11241100x80000000000000008032Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.083{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1577110288\powershell-yaml\lib\netstandard1.3\YamlDotNet.dll2020-12-16 19:39:12.083 11241100x80000000000000008031Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.083{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1577110288\powershell-yaml\lib\net45\YamlDotNet.dll2020-12-16 19:39:12.083 11241100x80000000000000008030Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.083{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1577110288\powershell-yaml\lib\net35\YamlDotNet.dll2020-12-16 19:39:12.083 11241100x80000000000000008029Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.083{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1577110288\powershell-yaml\Load-Assemblies.ps12020-12-16 19:39:12.083 11241100x80000000000000008028Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.067{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwgk5dc\lib\net45\YamlDotNet.dll2020-12-16 19:39:12.067 11241100x80000000000000008027Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.051{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwgk5dc\lib\netstandard1.3\YamlDotNet.dll2020-12-16 19:39:12.051 11241100x80000000000000008026Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:12.051{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwgk5dc\lib\net35\YamlDotNet.dll2020-12-16 19:39:12.051 11241100x80000000000000008025Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.051{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwgk5dc\Tests\powershell-yaml.Tests.ps12020-12-16 19:39:12.051 11241100x80000000000000008024Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.051{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\pxwgk5dc\Load-Assemblies.ps12020-12-16 19:39:12.051 354300x80000000000000008041Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.064{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-644.attackrange.local59196-false72.21.81.200-443https 11241100x80000000000000008071Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.973{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.ps12020-12-16 19:39:14.973 11241100x80000000000000008070Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:14.973{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\bin\T1036.003.exe2020-12-16 19:39:14.973 11241100x80000000000000008069Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:14.942{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1027.004\bin\T1027.004_DynamicCompile.exe2020-12-16 19:39:14.942 11241100x80000000000000008068Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.864{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1016\src\top-128.txt2020-12-16 19:39:14.864 11241100x80000000000000008067Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.864{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1016\src\qakbot.bat2020-12-16 19:39:14.864 11241100x80000000000000008066Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:14.848{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1014\bin\puppetstrings.exe2020-12-16 19:39:14.848 10341000x80000000000000008065Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.770{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6262-5FDA-1903-000000009A01}4196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008064Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.755{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6262-5FDA-1903-000000009A01}4196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008063Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.755{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6262-5FDA-1903-000000009A01}4196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008062Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.630{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\LICENSE.txt2020-12-16 19:39:14.630 11241100x80000000000000008061Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.614{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Misc\flag.txt2020-12-16 19:39:14.614 11241100x80000000000000008060Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.614{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Misc\Discovery.bat2020-12-16 19:39:14.614 11241100x80000000000000008059Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.614{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Labs\Webinar11062017-Labs.bat2020-12-16 19:39:14.614 11241100x80000000000000008058Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.614{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\generate-macro.ps12020-12-16 19:39:14.614 11241100x80000000000000008057Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.598{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Initial_Access\AtomicHTA.hta2020-12-16 19:39:14.598 11241100x80000000000000008056Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\qbot_infection_reaction.vbs2020-12-16 19:39:14.583 11241100x80000000000000008055Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\dragonstail_benign.ps12020-12-16 19:39:14.583 11241100x80000000000000008054Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Reactor.bat2020-12-16 19:39:14.583 11241100x80000000000000008053Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Plutonium.bat2020-12-16 19:39:14.583 11241100x80000000000000008052Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Fission.bat2020-12-16 19:39:14.583 11241100x80000000000000008051Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.ps12020-12-16 19:39:14.567 11241100x80000000000000008050Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_DragonsTail.bat2020-12-16 19:39:14.567 11241100x80000000000000008049Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Cyclotron.bat2020-12-16 19:39:14.567 11241100x80000000000000008048Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\chain_reaction_Argonaut.ps12020-12-16 19:39:14.567 11241100x80000000000000008047Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:14.567{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\ARTifacts\Chain_Reactions\atomic-hello.exe2020-12-16 19:39:14.567 10341000x80000000000000008046Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.536{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6262-5FDA-1803-000000009A01}632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008045Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.520{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6262-5FDA-1803-000000009A01}632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008044Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:14.520{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6262-5FDA-1803-000000009A01}632C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008043Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:14.364{84BF0721-625F-5FDA-1703-000000009A01}4952C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1358-0\System.Workflow.ComponentModel.dll2020-12-16 19:39:14.364 22542200x80000000000000008042Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:12.058{84BF0721-6256-5FDA-0803-000000009A01}5076psg-prod-eastus.azureedge.net0type: 5 psg-prod-eastus.ec.azureedge.net;type: 5 cs9.wpc.v0cdn.net;::ffff:72.21.81.200;C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000008121Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.958{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.010\src\x64\T1547.dll2020-12-16 19:39:15.958 11241100x80000000000000008120Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.958{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.010\src\Win32\T1547.dll2020-12-16 19:39:15.942 11241100x80000000000000008119Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.911{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\vbsstartup.vbs2020-12-16 19:39:15.911 11241100x80000000000000008118Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.911{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\jsestartup.jse2020-12-16 19:39:15.911 11241100x80000000000000008117Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.911{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1547.001\src\batstartup.bat2020-12-16 19:39:15.911 11241100x80000000000000008116Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:15.879{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.exe2020-12-16 19:39:15.879 11241100x80000000000000008115Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.879{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.011\bin\AtomicTest.dll2020-12-16 19:39:15.879 11241100x80000000000000008114Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.864{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010x86.dll2020-12-16 19:39:15.864 11241100x80000000000000008113Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.864{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1546.010\bin\T1546.010.dll2020-12-16 19:39:15.864 11241100x80000000000000008112Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:15.801{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1543.003\bin\AtomicService.exe2020-12-16 19:39:15.801 11241100x80000000000000008111Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.692{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\x64\T1218.dll2020-12-16 19:39:15.692 11241100x80000000000000008110Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.692{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218.dll2020-12-16 19:39:15.692 11241100x80000000000000008109Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.676{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218\src\Win32\T1218-2.dll2020-12-16 19:39:15.676 11241100x80000000000000008108Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.645{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx86.dll2020-12-16 19:39:15.645 11241100x80000000000000008107Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.645{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.010\bin\AllTheThingsx64.dll2020-12-16 19:39:15.645 11241100x80000000000000008106Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.629{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.008\src\Win32\T1218-2.dll2020-12-16 19:39:15.629 11241100x80000000000000008105Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.614{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.007\src\x64\T1218.dll2020-12-16 19:39:15.614 11241100x80000000000000008104Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\powershell.ps12020-12-16 19:39:15.583 11241100x80000000000000008103Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.005\src\T1218.005.hta2020-12-16 19:39:15.583 11241100x80000000000000008102Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.583{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.004\src\InstallUtilTestHarness.ps12020-12-16 19:39:15.583 11241100x80000000000000008101Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.551{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1218.001\src\T1218.001.chm2020-12-16 19:39:15.551 11241100x80000000000000008100Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.458{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\src\PPID-Spoof.ps12020-12-16 19:39:15.458 11241100x80000000000000008099Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.458{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1134.004\bin\calc.dll2020-12-16 19:39:15.458 11241100x80000000000000008098Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.442{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1127.001\src\T1127.001.csproj2020-12-16 19:39:15.442 11241100x80000000000000008097Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.411{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1114.001\src\Get-Inbox.ps12020-12-16 19:39:15.411 11241100x80000000000000008096Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.395{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1110.003\src\parse_net_users.bat2020-12-16 19:39:15.395 11241100x80000000000000008095Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.395{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1110.002\src\sam.txt2020-12-16 19:39:15.395 11241100x80000000000000008094Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:15.317{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1087.002\src\AdFind.exe2020-12-16 19:39:15.317 11241100x80000000000000008093Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.301{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1074.001\src\Discovery.bat2020-12-16 19:39:15.301 11241100x80000000000000008092Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.286{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1074.001\bin\Folder_to_zip\T1074.txt2020-12-16 19:39:15.286 11241100x80000000000000008091Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.286{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-domain-length.ps12020-12-16 19:39:15.286 11241100x80000000000000008090Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.286{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1071.004\src\T1071-dns-beacon.ps12020-12-16 19:39:15.286 11241100x80000000000000008089Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.223{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.005\src\sys_info.vbs2020-12-16 19:39:15.223 11241100x80000000000000008088Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.192{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\test.ps12020-12-16 19:39:15.192 11241100x80000000000000008087Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.192{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1059.001\src\Invoke-DownloadCradle.ps12020-12-16 19:39:15.192 11241100x80000000000000008086Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.176{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\x64\T1056.004.dll2020-12-16 19:39:15.176 11241100x80000000000000008085Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.176{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\Win32\T1056.004.dll2020-12-16 19:39:15.176 11241100x80000000000000008084Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004\T1056.004.vcxproj2020-12-16 19:39:15.161 11241100x80000000000000008083Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\src\T1056.004.sln2020-12-16 19:39:15.161 11241100x80000000000000008082Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x86.dll2020-12-16 19:39:15.161 11241100x80000000000000008081Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.004\bin\T1056.004x64.dll2020-12-16 19:39:15.161 11241100x80000000000000008080Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.145{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1056.001\src\Get-Keystrokes.ps12020-12-16 19:39:15.145 11241100x80000000000000008079Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.130{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\x64\T1055.dll2020-12-16 19:39:15.130 11241100x80000000000000008078Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.130{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055\src\Win32\T1055.dll2020-12-16 19:39:15.130 11241100x80000000000000008077Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.114{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.012\src\Start-Hollow.ps12020-12-16 19:39:15.114 11241100x80000000000000008076Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.098{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\x64\T1055.dll2020-12-16 19:39:15.098 11241100x80000000000000008075Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:15.098{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\src\Win32\T1055.dll2020-12-16 19:39:15.098 11241100x80000000000000008074Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:15.098{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1055.004\bin\T1055.exe2020-12-16 19:39:15.083 11241100x80000000000000008073Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.004{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_test.bat2020-12-16 19:39:15.004 11241100x80000000000000008072Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:15.004{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1036.003\src\T1036.003_masquerading.vbs2020-12-16 19:39:15.004 10341000x80000000000000008140Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.942{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6264-5FDA-1B03-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008139Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.926{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6264-5FDA-1B03-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008138Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.926{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6264-5FDA-1B03-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008137Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.708{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6264-5FDA-1A03-000000009A01}1652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008136Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.692{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6264-5FDA-1A03-000000009A01}1652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008135Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.692{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6264-5FDA-1A03-000000009A01}1652C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008134Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:16.583{84BF0721-6262-5FDA-1903-000000009A01}4196C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1064-0\System.Workflow.Runtime.dll2020-12-16 19:39:16.583 11241100x80000000000000008133Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.223{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\used_guids.txt2020-12-16 19:39:16.223 11241100x80000000000000008132Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:16.223{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\x64\Release\atomicNotepad.dll2020-12-16 19:39:16.223 11241100x80000000000000008131Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.208{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad\atomicNotepad.vcxproj2020-12-16 19:39:16.208 11241100x80000000000000008130Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.208{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\src\atomicNotepad.sln2020-12-16 19:39:16.208 11241100x80000000000000008129Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:16.208{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.012\bin\T1574.012x64.dll2020-12-16 19:39:16.208 11241100x80000000000000008128Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:16.192{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.009\bin\WindowsServiceExample.exe2020-12-16 19:39:16.192 11241100x80000000000000008127Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:16.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\libcurl.dll2020-12-16 19:39:16.161 11241100x80000000000000008126Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:16.161{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1574.002\bin\GUP.exe2020-12-16 19:39:16.161 11241100x80000000000000008125Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.130{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1566.001\bin\PhishingAttachment.xlsm2020-12-16 19:39:16.130 11241100x80000000000000008124Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.114{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1564.004\src\test.ps12020-12-16 19:39:16.114 11241100x80000000000000008123Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localEXE2020-12-16 19:39:16.083{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1562.004\bin\AtomicTest.exe2020-12-16 19:39:16.083 11241100x80000000000000008122Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:16.051{84BF0721-6256-5FDA-0803-000000009A01}5076C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\AtomicRedTeam\tmp\atomic-red-team-local-master\atomics\T1559.002\src\PowerShell_Script_For_DDE_Document.ps12020-12-16 19:39:16.051 10341000x80000000000000008146Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.458{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008145Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.458{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008144Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.458{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008143Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.348{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008142Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.348{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008141Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:17.348{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008255Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.848{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2803-000000009A01}4020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008254Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.833{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2803-000000009A01}4020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008253Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.833{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2803-000000009A01}4020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008252Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2703-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008251Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.770{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2703-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008250Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.770{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2703-000000009A01}3468C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008249Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2603-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008248Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.645{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2603-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008247Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.629{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2603-000000009A01}3796C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008246Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:18.583{84BF0721-6266-5FDA-2503-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\b38-0\System.Xml.Serialization.dll2020-12-16 19:39:18.583 10341000x80000000000000008245Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2503-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008244Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.551{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2503-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008243Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.551{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2503-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008242Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2303-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008241Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6266-5FDA-2403-000000009A01}3832C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008240Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008239Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008238Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008237Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008236Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008235Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008234Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008233Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008232Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008231Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2403-000000009A01}3832C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008230Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-6266-5FDA-2203-000000009A01}3616212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6266-5FDA-2403-000000009A01}3832C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72b2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6752df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72046d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6771e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67554be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67554be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+675534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67472d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67533fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6752df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72046d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6739c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6739225(wow64) 154100x80000000000000008229Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.511{84BF0721-6266-5FDA-2403-000000009A01}3832C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000008228Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2303-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008227Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.504{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2303-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008226Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008225Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008224Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:18.442{84BF0721-6266-5FDA-2103-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1374-0\System.Xaml.Hosting.dll2020-12-16 19:39:18.442 11241100x80000000000000008223Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.395{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0acpdily.03u.ps12020-12-16 19:39:18.395 10341000x80000000000000008222Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.379{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008221Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008220Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008219Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008218Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008217Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008216Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008215Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008214Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008213Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008212Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008211Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008210Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.348{84BF0721-6266-5FDA-2003-000000009A01}48604628C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de346c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dc9cc7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dc9297(wow64) 154100x80000000000000008209Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.360{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000008208Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.301{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008207Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.301{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008206Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.301{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008205Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.301{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008204Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.301{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008203Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2103-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008202Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.254{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_uq0m3pwl.eje.ps12020-12-16 19:39:18.254 10341000x80000000000000008201Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.254{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2103-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008200Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.254{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-2103-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008199Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008198Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.208{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008197Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.208{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008196Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.208{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008195Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008194Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008193Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008192Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008191Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008190Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008189Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008188Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008187Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-6266-5FDA-1F03-000000009A01}44324972C:\Windows\system32\cmd.exe{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008186Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.206{84BF0721-6266-5FDA-2003-000000009A01}4860C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6266-5FDA-1F03-000000009A01}4432C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000008185Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6266-5FDA-1F03-000000009A01}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008184Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008183Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008182Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008181Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008180Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008179Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008178Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008177Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008176Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-1F03-000000009A01}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008175Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008174Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-6266-5FDA-1C03-000000009A01}33364284C:\Windows\system32\WinrsHost.exe{84BF0721-6266-5FDA-1F03-000000009A01}4432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000008173Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.199{84BF0721-6266-5FDA-1F03-000000009A01}4432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000008172Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008171Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008170Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008169Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.114{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-1E03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008168Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.114{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-1E03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008167Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.114{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6266-5FDA-1E03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008166Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.051{84BF0721-5F00-5FDA-1400-000000009A01}13241440C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000008165Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008164Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.036{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008163Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-1D03-000000009A01}1416C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008162Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008161Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008160Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008159Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008158Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008157Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008156Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008155Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008154Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008153Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008152Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008151Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.023{84BF0721-6266-5FDA-1C03-000000009A01}3336C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 11241100x80000000000000008150Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:18.020{84BF0721-6264-5FDA-1B03-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\10cc-0\System.WorkflowServices.dll2020-12-16 19:39:18.020 10341000x80000000000000008149Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008148Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.020{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008147Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:18.004{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008314Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.926{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008313Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.926{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008312Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.879{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_0oelr0eb.w4d.ps12020-12-16 19:39:19.879 10341000x80000000000000008311Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008310Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008309Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008308Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008307Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008306Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008305Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008304Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008303Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008302Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008301Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008300Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008299Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.833{84BF0721-6266-5FDA-2203-000000009A01}36164028C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFEB7FD88B0) 154100x80000000000000008298Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.838{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000008297Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008296Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008295Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.786{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008294Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:19.598{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\5mpgmpku.dll2020-12-16 19:39:19.489 10341000x80000000000000008293Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.598{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6267-5FDA-2C03-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008292Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008291Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008290Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008289Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008288Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008287Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008286Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008285Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008284Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008283Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6267-5FDA-2C03-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008282Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.583{84BF0721-6267-5FDA-2B03-000000009A01}38442676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6267-5FDA-2C03-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008281Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.595{84BF0721-6267-5FDA-2C03-000000009A01}4944C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES6B5D.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSC270F935FDBFD48FB8597C78BA0664FD5.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\5mpgmpku.cmdline" 10341000x80000000000000008280Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008279Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008278Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008277Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008276Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008275Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008274Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008273Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008272Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008271Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008270Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008269Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-6266-5FDA-2203-000000009A01}3616212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB824B68F) 154100x80000000000000008268Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.492{84BF0721-6267-5FDA-2B03-000000009A01}3844C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\5mpgmpku.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000008267Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.489{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5mpgmpku.cmdline2020-12-16 19:39:19.489 11241100x80000000000000008266Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:19.489{84BF0721-6266-5FDA-2203-000000009A01}3616C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\5mpgmpku.dll2020-12-16 19:39:19.489 10341000x80000000000000008265Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6267-5FDA-2A03-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008264Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.458{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6267-5FDA-2A03-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008263Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.458{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6267-5FDA-2A03-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008262Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6267-5FDA-2903-000000009A01}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008261Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.270{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6267-5FDA-2903-000000009A01}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008260Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.270{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6267-5FDA-2903-000000009A01}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008259Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:19.208{84BF0721-6266-5FDA-2803-000000009A01}4020C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\fb4-0\UIAutomationClient.dll2020-12-16 19:39:19.208 10341000x80000000000000008258Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008257Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008256Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:19.176{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008387Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.958{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6268-5FDA-3603-000000009A01}2768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008386Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.958{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3603-000000009A01}2768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008385Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.958{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6268-5FDA-3603-000000009A01}2768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008384Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:20.879{84BF0721-6268-5FDA-3403-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\d74-0\UIAutomationTypes.dll2020-12-16 19:39:20.879 11241100x80000000000000008383Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:20.583{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\q3mhxclq\q3mhxclq.dll2020-12-16 19:39:20.489 10341000x80000000000000008382Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.583{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6268-5FDA-3403-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008381Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.583{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6268-5FDA-3503-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008380Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008379Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008378Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008377Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008376Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008375Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008374Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008373Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008372Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008371Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3503-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008370Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-6268-5FDA-3203-000000009A01}46924436C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-6268-5FDA-3503-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008369Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.580{84BF0721-6268-5FDA-3503-000000009A01}4160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES6F35.tmp" "c:\Users\Administrator\AppData\Local\Temp\q3mhxclq\CSC41509CC6E124D49BCACBF52199425B2.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\q3mhxclq\q3mhxclq.cmdline" 10341000x80000000000000008368Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3403-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008367Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.567{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6268-5FDA-3403-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008366Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6268-5FDA-3303-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008365Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.520{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3303-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008364Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.520{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6268-5FDA-3303-000000009A01}4980C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008363Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008362Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008361Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008360Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008359Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008358Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008357Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008356Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008355Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008354Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008353Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008352Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.504{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+40c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+40c0(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e073bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64) 154100x80000000000000008351Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.506{84BF0721-6268-5FDA-3203-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\q3mhxclq\q3mhxclq.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 11241100x80000000000000008350Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.489{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\q3mhxclq\q3mhxclq.cmdline2020-12-16 19:39:20.489 11241100x80000000000000008349Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:20.489{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\q3mhxclq\q3mhxclq.dll2020-12-16 19:39:20.489 11241100x80000000000000008348Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:20.458{84BF0721-6268-5FDA-3103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12d4-0\UIAutomationProvider.dll2020-12-16 19:39:20.458 10341000x80000000000000008347Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6268-5FDA-3103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008346Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.348{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008345Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.348{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6268-5FDA-3103-000000009A01}4820C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008344Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6268-5FDA-3003-000000009A01}4300C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008343Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008342Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008341Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008340Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008339Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008338Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008337Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008336Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008335Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008334Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-3003-000000009A01}4300C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008333Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6268-5FDA-3003-000000009A01}4300C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64) 154100x80000000000000008332Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.313{84BF0721-6268-5FDA-3003-000000009A01}4300C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008331Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6268-5FDA-2E03-000000009A01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008330Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.301{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6268-5FDA-2F03-000000009A01}4652C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008329Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008328Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008327Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008326Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008325Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008324Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008323Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008322Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008321Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008320Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-2F03-000000009A01}4652C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008319Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6268-5FDA-2F03-000000009A01}4652C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64) 154100x80000000000000008318Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.297{84BF0721-6268-5FDA-2F03-000000009A01}4652C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008317Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6268-5FDA-2E03-000000009A01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008316Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:20.286{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6268-5FDA-2E03-000000009A01}2160C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008315Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:20.208{84BF0721-6267-5FDA-2A03-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\12f8-0\UIAutomationClientsideProviders.dll2020-12-16 19:39:20.208 10341000x80000000000000008472Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008471Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008470Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008469Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008468Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008467Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008466Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008465Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008464Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008463Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-4003-000000009A01}2872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008462Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-6269-5FDA-3F03-000000009A01}15643796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-4003-000000009A01}2872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+80475eab|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f916ab5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f916786|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+803c806b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f8d731c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f9357eb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f918e50|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f918e50|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f918e50|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f918ce1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f90ac66|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f917199|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f916d35|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f916ab5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f916786|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+803c806b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7f8d731c 154100x80000000000000008461Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.993{84BF0721-6269-5FDA-4003-000000009A01}2872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c adidnsdump -hC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c adidnsdump -h) {exit 0} else {exit 1}} 10341000x80000000000000008460Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.926{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008459Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.926{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008458Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.879{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_dcwurink.ifz.ps12020-12-16 19:39:21.879 10341000x80000000000000008457Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008456Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008455Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008454Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008453Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008452Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008451Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008450Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008449Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008448Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008447Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008446Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008445Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008444Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.833{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008443Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.838{84BF0721-6269-5FDA-3F03-000000009A01}1564C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c adidnsdump -h) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008442Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3E03-000000009A01}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008441Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.786{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3E03-000000009A01}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008440Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.786{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3E03-000000009A01}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008439Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008438Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.645{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008437Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.645{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3D03-000000009A01}4676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008436Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.598{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008435Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.598{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008434Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3C03-000000009A01}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008433Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.583{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3C03-000000009A01}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008432Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.583{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3C03-000000009A01}4924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008431Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.551{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xwsdnlzi.0jd.ps12020-12-16 19:39:21.551 10341000x80000000000000008430Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008429Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008428Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3A03-000000009A01}3768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008427Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008426Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008425Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008424Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008423Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008422Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008421Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008420Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008419Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008418Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008417Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008416Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008415Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.515{84BF0721-6269-5FDA-3B03-000000009A01}4232C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (pip3 -V) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008414Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3A03-000000009A01}3768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008413Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.504{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3A03-000000009A01}3768C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008412Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3903-000000009A01}4124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008411Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.348{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3903-000000009A01}4124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008410Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.348{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3903-000000009A01}4124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008409Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:21.286{84BF0721-6269-5FDA-3703-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\1148-0\WindowsFormsIntegration.dll2020-12-16 19:39:21.286 10341000x80000000000000008408Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.270{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008407Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.270{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008406Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.239{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_252rt3sx.x55.ps12020-12-16 19:39:21.239 10341000x80000000000000008405Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.223{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008404Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.192{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008403Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.192{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008402Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008401Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008400Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008399Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008398Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008397Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008396Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008395Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008394Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008393Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008392Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.176{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008391Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.187{84BF0721-6269-5FDA-3803-000000009A01}3016C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (python --version) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008390Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6269-5FDA-3703-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008389Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.020{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6269-5FDA-3703-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008388Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.020{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-6269-5FDA-3703-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008566Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.942{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_5ydqz2fs.yh2.ps12020-12-16 19:39:22.942 10341000x80000000000000008565Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.926{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008564Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008563Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008562Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008561Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008560Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008559Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008558Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008557Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008556Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008555Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008554Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008553Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008552Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.895{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008551Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.900{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 11241100x80000000000000008550Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:22.879{84BF0721-626A-5FDA-4503-000000009A01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\9b8-0\XsdBuildTask.dll2020-12-16 19:39:22.879 10341000x80000000000000008549Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.739{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008548Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.739{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008547Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.692{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_mviyncv2.ej1.ps12020-12-16 19:39:22.692 10341000x80000000000000008546Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008545Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.661{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008544Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008543Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008542Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008541Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008540Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008539Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008538Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008537Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008536Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008535Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008534Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008533Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.645{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008532Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.656{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (Test-Path C:\AtomicRedTeam\atomics\T1087.002\src\AdFind.exe) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 10341000x80000000000000008531Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4503-000000009A01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008530Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.614{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4503-000000009A01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008529Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.614{84BF0721-615A-5FDA-2701-000000009A01}27044116C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626A-5FDA-4503-000000009A01}2488C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+91db|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9168|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8fc5|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008528Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-626A-5FDA-4403-000000009A01}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008527Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008526Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008525Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008524Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008523Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008522Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008521Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008520Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008519Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008518Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4403-000000009A01}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008517Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-626A-5FDA-4203-000000009A01}40204176C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4403-000000009A01}2844C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64) 154100x80000000000000008516Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.520{84BF0721-626A-5FDA-4403-000000009A01}2844C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c adidnsdump -hC:\Users\Administrator\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c adidnsdump -h) {exit 0} else {exit 1}} 10341000x80000000000000008515Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.458{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008514Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.458{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008513Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.411{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_54dbtk3f.11e.ps12020-12-16 19:39:22.411 10341000x80000000000000008512Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.395{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4303-000000009A01}4396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008511Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.395{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008510Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.395{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4303-000000009A01}4396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008509Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.379{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626A-5FDA-4303-000000009A01}4396C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6d87|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2066|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+8b84|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ad3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008508Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008507Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008506Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008505Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008504Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008503Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008502Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008501Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008500Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.364{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008499Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008498Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008497Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.348{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008496Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.348{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008495Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.363{84BF0721-626A-5FDA-4203-000000009A01}4020C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {if (cmd /c adidnsdump -h) {exit 0} else {exit 1}} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 11241100x80000000000000008494Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:22.317{84BF0721-6269-5FDA-3E03-000000009A01}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_64\Temp\39c-0\XamlBuildTask.dll2020-12-16 19:39:22.317 10341000x80000000000000008493Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.114{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008492Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.114{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008491Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.067{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_kumv2cc0.p5l.ps12020-12-16 19:39:22.067 10341000x80000000000000008490Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.067{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008489Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008488Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB8319823) 10341000x80000000000000008487Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008486Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008485Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008484Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008483Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008482Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008481Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008480Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008479Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008478Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008477Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-6267-5FDA-2D03-000000009A01}48161588C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008476Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.030{84BF0721-626A-5FDA-4103-000000009A01}2508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" & {pip3 install adidnsdump} C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-6266-5FDA-CD94-1E0000000000}0x1e94cd0HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBHAGUAdABQAHIAZQByAGUAcQBzAA== 11241100x80000000000000008475Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-16 19:39:22.020 11241100x80000000000000008474Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.020{84BF0721-6267-5FDA-2D03-000000009A01}4816C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-16 19:39:22.020 10341000x80000000000000008473Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:21.989{84BF0721-6266-5FDA-1D03-000000009A01}14161004C:\Windows\system32\conhost.exe{84BF0721-6269-5FDA-4003-000000009A01}2872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008676Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.973{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6B03-000000009A01}1140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008675Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.973{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6B03-000000009A01}1140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008674Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.973{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6B03-000000009A01}1140C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008673Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.958{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6A03-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008672Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.942{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6A03-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008671Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.942{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6A03-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008670Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.926{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6903-000000009A01}2124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008669Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.911{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6903-000000009A01}2124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008668Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.911{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6903-000000009A01}2124C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008667Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6803-000000009A01}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008666Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.895{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6803-000000009A01}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008665Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.895{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6803-000000009A01}3204C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008664Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.879{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6703-000000009A01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008663Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.864{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6703-000000009A01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008662Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.864{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6703-000000009A01}1176C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008661Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.848{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6603-000000009A01}4636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008660Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.833{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6603-000000009A01}4636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008659Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.833{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6603-000000009A01}4636C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008658Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.817{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6503-000000009A01}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008657Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.817{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6503-000000009A01}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008656Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.817{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6503-000000009A01}3984C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008655Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6403-000000009A01}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008654Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.786{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6403-000000009A01}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008653Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.786{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6403-000000009A01}4848C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008652Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.770{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6303-000000009A01}1572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008651Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.754{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-6303-000000009A01}1572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008650Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.754{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-6303-000000009A01}1572C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008649Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.739{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008648Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.739{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008647Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.739{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3584C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008646Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.723{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6103-000000009A01}172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008645Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.708{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008644Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.708{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}172C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008643Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-6003-000000009A01}4232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008642Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.676{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008641Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.676{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4232C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008640Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008639Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.661{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008638Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.661{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4548C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008637Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.645{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5E03-000000009A01}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008636Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.629{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008635Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.629{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008634Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5D03-000000009A01}4012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008633Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.598{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008632Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.598{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4012C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008631Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.582{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5C03-000000009A01}2676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008630Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.567{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008629Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.567{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2676C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008628Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008627Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.551{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008626Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.551{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4080C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008625Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.536{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5A03-000000009A01}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008624Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.520{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008623Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.520{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}924C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008622Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.504{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5903-000000009A01}4268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008621Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.489{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008620Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.489{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4268C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008619Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5803-000000009A01}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008618Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.457{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008617Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.457{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4424C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008616Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.442{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5703-000000009A01}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008615Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.426{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008614Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.426{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4812C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008613Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.395{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5603-000000009A01}2840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008612Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.379{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008611Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.379{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2840C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008610Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5503-000000009A01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008609Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.332{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-5503-000000009A01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008608Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.332{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-5503-000000009A01}4040C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008607Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.317{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008606Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.317{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008605Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.317{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626A-5FDA-4603-000000009A01}2376C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008604Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}2896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008603Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.286{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626B-5FDA-5303-000000009A01}2896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008602Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.286{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626B-5FDA-5303-000000009A01}2896C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008601Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5203-000000009A01}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008600Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.254{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008599Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.254{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4568C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008598Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5103-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008597Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.223{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008596Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.223{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008595Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.207{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-5003-000000009A01}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008594Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.192{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008593Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.192{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008592Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-4F03-000000009A01}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008591Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.161{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008590Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.161{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4128C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008589Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.145{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-4E03-000000009A01}108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008588Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008587Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.129{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}108C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008586Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.114{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-4D03-000000009A01}2708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008585Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.098{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008584Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.098{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}2708C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008583Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008582Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.083{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008581Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.083{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}4748C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008580Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.067{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-4B03-000000009A01}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008579Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.051{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008578Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.051{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008577Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626B-5FDA-4A03-000000009A01}3344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008576Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.020{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008575Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.020{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008574Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.004{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4903-000000009A01}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008573Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.989{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008572Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.989{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3832C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008571Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.989{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008570Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.989{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626A-5FDA-4703-000000009A01}2944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008569Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.973{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626A-5FDA-4803-000000009A01}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008568Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.958{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008567Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:22.958{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{00000000-0000-0000-0000-000000000000}3444C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008764Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.926{84BF0721-5F00-5FDA-1400-000000009A01}13241696C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\system32\WinrsHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\winrscmd.dll+8d36|C:\Windows\system32\winrscmd.dll+92d5|C:\Windows\system32\winrscmd.dll+af31|C:\Windows\system32\winrscmd.dll+23dc|c:\windows\system32\wsmsvc.dll+155ac7|c:\windows\system32\wsmsvc.dll+13f76d|c:\windows\system32\wsmsvc.dll+13f3cf|c:\windows\system32\wsmsvc.dll+13fcb2|c:\windows\system32\wsmsvc.dll+9ab10|c:\windows\system32\wsmsvc.dll+9b611|c:\windows\system32\wsmsvc.dll+4495|c:\windows\system32\wsmsvc.dll+16816c|c:\windows\system32\wsmsvc.dll+1689b8|c:\windows\system32\wsmsvc.dll+16345b|c:\windows\system32\wsmsvc.dll+163125|c:\windows\system32\wsmsvc.dll+14ce9c|c:\windows\system32\wsmsvc.dll+130049|c:\windows\system32\wsmsvc.dll+13571a|c:\windows\system32\wsmsvc.dll+12f47e|c:\windows\system32\wsmsvc.dll+125587|c:\windows\system32\wsmsvc.dll+11f562|c:\windows\system32\wsmsvc.dll+124574 10341000x80000000000000008763Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.926{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\system32\WinrsHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008762Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.911{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008761Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-8003-000000009A01}3344C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008760Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008759Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008758Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008757Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008756Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008755Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008754Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008753Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008752Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}6121112C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008751Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008750Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.895{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\system32\WinrsHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+35069|c:\windows\system32\rpcss.dll+3a852|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008749Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.899{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\System32\winrshost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for WinRM's Remote Shell pluginMicrosoft® Windows® Operating SystemMicrosoft Corporationwinrshost.exeC:\Windows\system32\WinrsHost.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F40EC96CA18D88CB1F26FA2070010714,SHA256=607C014A3CA531FFAD50BCD90095C01E4E6B691D9E18473C70E4699CF1E31453,IMPHASH=4216D8E7F36901B61DFD6309B49BCF96{84BF0721-5EFF-5FDA-0C00-000000009A01}612C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000008748Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.879{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008747Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.879{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008746Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.879{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008745Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-615A-5FDA-2301-000000009A01}3920C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008744Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.536{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626C-5FDA-7E03-000000009A01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008743Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.536{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626C-5FDA-7E03-000000009A01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008742Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.504{84BF0721-615A-5FDA-2401-000000009A01}30205020C:\Windows\system32\conhost.exe{84BF0721-626C-5FDA-7E03-000000009A01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008741Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.504{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7E03-000000009A01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008740Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.504{84BF0721-615A-5FDA-2301-000000009A01}39205100C:\Windows\Microsoft.NET\Framework64\v4.0.30319\NGenTask.exe{84BF0721-626C-5FDA-7E03-000000009A01}4332C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.dll+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.DLL+32979|UNKNOWN(00007FFEB7FC5147) 10341000x80000000000000008739Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.457{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7D03-000000009A01}1212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008738Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.457{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008737Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.457{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008736Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.457{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7D03-000000009A01}1212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008735Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.442{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7D03-000000009A01}1212C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008734Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.442{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008733Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.442{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7C03-000000009A01}4696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008732Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.426{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7C03-000000009A01}4696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008731Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.426{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7C03-000000009A01}4696C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008730Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7B03-000000009A01}4932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008729Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.395{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7B03-000000009A01}4932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008728Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.395{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7B03-000000009A01}4932C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008727Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.379{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7A03-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008726Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.364{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7A03-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008725Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.364{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7A03-000000009A01}5004C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008724Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7903-000000009A01}3220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008723Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.348{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008722Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.348{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008721Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.348{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7903-000000009A01}3220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008720Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.348{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7903-000000009A01}3220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008719Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.332{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008718Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.317{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7803-000000009A01}3068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008717Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.317{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7803-000000009A01}3068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008716Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.317{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7803-000000009A01}3068C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008715Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.301{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7703-000000009A01}3156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008714Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.286{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7703-000000009A01}3156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008713Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.286{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7703-000000009A01}3156C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008712Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7603-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008711Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.254{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7603-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008710Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.254{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7603-000000009A01}4856C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008709Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.239{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7503-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008708Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.239{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7503-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008707Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.239{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7503-000000009A01}4344C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008706Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.223{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008705Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.223{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008704Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.223{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008703Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.223{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7403-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008702Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.207{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7403-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008701Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.207{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7403-000000009A01}4692C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008700Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.192{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7303-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008699Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.192{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7303-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008698Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.192{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7303-000000009A01}4300C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008697Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7203-000000009A01}2380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008696Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.161{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7203-000000009A01}2380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008695Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.161{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7203-000000009A01}2380C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008694Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.145{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7103-000000009A01}3764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008693Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.129{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7103-000000009A01}3764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008692Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.129{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7103-000000009A01}3764C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008691Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.114{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-7003-000000009A01}3948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008690Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.098{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-7003-000000009A01}3948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008689Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.098{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-7003-000000009A01}3948C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008688Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.083{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-6F03-000000009A01}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008687Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.083{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-6F03-000000009A01}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008686Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.083{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-6F03-000000009A01}656C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008685Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.067{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-6E03-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008684Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.051{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-6E03-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008683Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.051{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-6E03-000000009A01}2872C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008682Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-6D03-000000009A01}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008681Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.020{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-6D03-000000009A01}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008680Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.020{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-6D03-000000009A01}4608C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008679Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.004{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626C-5FDA-6C03-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008678Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:24.004{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626C-5FDA-6C03-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008677Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:23.989{84BF0721-615A-5FDA-2701-000000009A01}27042544C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe{84BF0721-626C-5FDA-6C03-000000009A01}3200C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2d42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+a4e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9ebd|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9c4b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+9b19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ef20|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2eb7b|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+2ea88|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+11051|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+e075|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+6ae1|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+69a3|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvc.dll+1f19|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+8198|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1f42|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+1d64|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+277a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe+2708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008834Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-615C-5FDA-2C01-000000009A01}3332C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008833Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.661{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626D-5FDA-8403-000000009A01}4028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008832Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626D-5FDA-8503-000000009A01}4376C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008831Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008830Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008829Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008828Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008827Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008826Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008825Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008824Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008823Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008822Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626D-5FDA-8503-000000009A01}4376C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008821Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.520{84BF0721-626D-5FDA-8303-000000009A01}43082672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626D-5FDA-8503-000000009A01}4376C:\Windows\system32\chcp.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72b2519(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6752df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72046d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+671398a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6771e59(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67554be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67554be(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+675534f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67472d4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753807(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+67533fa(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6753123(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6752df4(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+72046d9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6739c55(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6739225(wow64) 154100x80000000000000008820Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.525{84BF0721-626D-5FDA-8503-000000009A01}4376C:\Windows\System32\chcp.com10.0.14393.0 (rs1_release.160715-1616)Change CodePage UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationCHCP.COM"C:\Windows\system32\chcp.com" 65001C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=BA6FD5B883C0899785D17CEBE66A25F6,SHA256=9FDBDF88CF2BB2794C416E3083553F2898AC9DC92DFAC2478B4C1DF667DF7C74,IMPHASH=4FB30D6E330F3FB3DB61550BD7FA7CCD{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000008819Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.489{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626D-5FDA-8403-000000009A01}4028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008818Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.489{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-626D-5FDA-8403-000000009A01}4028C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008817Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.379{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008816Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.379{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008815Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.332{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_oe0z3jas.lln.ps12020-12-16 19:39:25.332 10341000x80000000000000008814Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.317{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008813Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008812Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008811Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008810Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008809Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008808Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008807Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008806Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008805Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008804Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008803Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008802Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.286{84BF0721-626D-5FDA-8203-000000009A01}23084220C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9e1fbc1d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69c827(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69c4f8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9e14dddd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d65d08e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d6bb55d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69ebc2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69ebc2(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69ea53(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d6909d8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69cf0b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69cafe(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69c827(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d69c4f8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9e14dddd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d683359(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+9d682929(wow64) 154100x80000000000000008801Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.287{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA==C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000008800Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008799Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008798Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008797Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008796Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008795Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.098{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_vdinc45t.mw4.ps12020-12-16 19:39:25.098 10341000x80000000000000008794Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.082{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008793Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008792Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008791Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008790Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008789Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008788Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008787Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008786Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008785Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008784Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008783Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008782Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.051{84BF0721-626D-5FDA-8103-000000009A01}42682144C:\Windows\system32\cmd.exe{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008781Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.053{84BF0721-626D-5FDA-8203-000000009A01}2308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEPowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-626D-5FDA-8103-000000009A01}4268C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA= 10341000x80000000000000008780Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626D-5FDA-8103-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008779Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008778Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008777Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008776Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008775Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008774Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008773Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008772Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008771Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008770Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-626D-5FDA-8103-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008769Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-626C-5FDA-7F03-000000009A01}24923200C:\Windows\system32\WinrsHost.exe{84BF0721-626D-5FDA-8103-000000009A01}4268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\WinrsHost.exe+2c94|C:\Windows\system32\WinrsHost.exe+2eb1|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+5fc69|C:\Windows\System32\combase.dll+22b9|C:\Windows\System32\RPCRT4.dll+614ab|C:\Windows\System32\combase.dll+53b7c|C:\Windows\System32\combase.dll+53832|C:\Windows\System32\combase.dll+51958|C:\Windows\System32\combase.dll+4fecd|C:\Windows\System32\combase.dll+4f5af|C:\Windows\System32\combase.dll+6d9f9|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+523ce|C:\Windows\System32\RPCRT4.dll+244c7|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b 154100x80000000000000008768Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.046{84BF0721-626D-5FDA-8103-000000009A01}4268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /C PowerShell -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand UABvAHcAZQByAFMAaABlAGwAbAAgAC0ATgBvAFAAcgBvAGYAaQBsAGUAIAAtAE4AbwBuAEkAbgB0AGUAcgBhAGMAdABpAHYAZQAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AUABvAGwAaQBjAHkAIABVAG4AcgBlAHMAdAByAGkAYwB0AGUAZAAgAC0ARQBuAGMAbwBkAGUAZABDAG8AbQBtAGEAbgBkACAASgBnAEIAagBBAEcAZwBBAFkAdwBCAHcAQQBDADQAQQBZAHcAQgB2AEEARwAwAEEASQBBAEEAMgBBAEQAVQBBAE0AQQBBAHcAQQBEAEUAQQBJAEEAQQArAEEAQwBBAEEASgBBAEIAdQBBAEgAVQBBAGIAQQBCAHMAQQBBAG8AQQBKAEEAQgBsAEEASABnAEEAWgBRAEIAagBBAEYAOABBAGQAdwBCAHkAQQBHAEUAQQBjAEEAQgB3AEEARwBVAEEAYwBnAEIAZgBBAEgATQBBAGQAQQBCAHkAQQBDAEEAQQBQAFEAQQBnAEEAQwBRAEEAYQBRAEIAdQBBAEgAQQBBAGQAUQBCADAAQQBDAEEAQQBmAEEAQQBnAEEARQA4AEEAZABRAEIAMABBAEMAMABBAFUAdwBCADAAQQBIAEkAQQBhAFEAQgB1AEEARwBjAEEAQwBnAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAGcAQQBEADAAQQBJAEEAQQBrAEEARwBVAEEAZQBBAEIAbABBAEcATQBBAFgAdwBCADMAQQBIAEkAQQBZAFEAQgB3AEEASABBAEEAWgBRAEIAeQBBAEYAOABBAGMAdwBCADAAQQBIAEkAQQBMAGcAQgBUAEEASABBAEEAYgBBAEIAcABBAEgAUQBBAEsAQQBCAEEAQQBDAGcAQQBJAGcAQgBnAEEARABBAEEAWQBBAEEAdwBBAEcAQQBBAE0AQQBCAGcAQQBEAEEAQQBJAGcAQQBwAEEAQwB3AEEASQBBAEEAeQBBAEMAdwBBAEkAQQBCAGIAQQBGAE0AQQBkAEEAQgB5AEEARwBrAEEAYgBnAEIAbgBBAEYATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBQAEEASABBAEEAZABBAEIAcABBAEcAOABBAGIAZwBCAHoAQQBGADAAQQBPAGcAQQA2AEEARgBJAEEAWgBRAEIAdABBAEcAOABBAGQAZwBCAGwAQQBFAFUAQQBiAFEAQgB3AEEASABRAEEAZQBRAEIARgBBAEcANABBAGQAQQBCAHkAQQBHAGsAQQBaAFEAQgB6AEEAQwBrAEEAQwBnAEIASgBBAEcAWQBBAEkAQQBBAG8AQQBDADAAQQBiAGcAQgB2AEEASABRAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBBAHUAQQBFAHcAQQBaAFEAQgB1AEEARwBjAEEAZABBAEIAbwBBAEMAQQBBAEwAUQBCAGwAQQBIAEUAQQBJAEEAQQB5AEEAQwBrAEEASQBBAEIANwBBAEMAQQBBAGQAQQBCAG8AQQBIAEkAQQBiAHcAQgAzAEEAQwBBAEEASQBnAEIAcABBAEcANABBAGQAZwBCAGgAQQBHAHcAQQBhAFEAQgBrAEEAQwBBAEEAYwBBAEIAaABBAEgAawBBAGIAQQBCAHYAQQBHAEUAQQBaAEEAQQBpAEEAQwBBAEEAZgBRAEEASwBBAEYATQBBAFoAUQBCADAAQQBDADAAQQBWAGcAQgBoAEEASABJAEEAYQBRAEIAaABBAEcASQBBAGIAQQBCAGwAQQBDAEEAQQBMAFEAQgBPAEEARwBFAEEAYgBRAEIAbABBAEMAQQBBAGEAZwBCAHoAQQBHADgAQQBiAGcAQgBmAEEASABJAEEAWQBRAEIAMwBBAEMAQQBBAEwAUQBCAFcAQQBHAEUAQQBiAEEAQgAxAEEARwBVAEEASQBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEUAQQBYAFEAQQBLAEEAQwBRAEEAWgBRAEIANABBAEcAVQBBAFkAdwBCAGYAQQBIAGMAQQBjAGcAQgBoAEEASABBAEEAYwBBAEIAbABBAEgASQBBAEkAQQBBADkAQQBDAEEAQQBXAHcAQgBUAEEARwBNAEEAYwBnAEIAcABBAEgAQQBBAGQAQQBCAEMAQQBHAHcAQQBiAHcAQgBqAEEARwBzAEEAWABRAEEANgBBAEQAbwBBAFEAdwBCAHkAQQBHAFUAQQBZAFEAQgAwAEEARwBVAEEASwBBAEEAawBBAEgATQBBAGMAQQBCAHMAQQBHAGsAQQBkAEEAQgBmAEEASABBAEEAWQBRAEIAeQBBAEgAUQBBAGMAdwBCAGIAQQBEAEEAQQBYAFEAQQBwAEEAQQBvAEEASgBnAEEAawBBAEcAVQBBAGUAQQBCAGwAQQBHAE0AQQBYAHcAQgAzAEEASABJAEEAWQBRAEIAdwBBAEgAQQBBAFoAUQBCAHkAQQBBAD0APQA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626C-5FDA-7F03-000000009A01}2492C:\Windows\System32\winrshost.exeC:\Windows\system32\WinrsHost.exe -Embedding 10341000x80000000000000008767Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008766Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008765Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:25.036{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008875Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:26.817{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\1lm0emb4.dll2020-12-16 19:39:26.692 10341000x80000000000000008874Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626E-5FDA-8903-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008873Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008872Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008871Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008870Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008869Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008868Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008867Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008866Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008865Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008864Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008863Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008862Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626E-5FDA-8903-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008861Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-626E-5FDA-8803-000000009A01}50761780C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-626E-5FDA-8903-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008860Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.806{84BF0721-626E-5FDA-8903-000000009A01}4312C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES878F.tmp" "c:\Users\Administrator\AppData\Local\Temp\CSCB4AF0A22827741B2A63C9BEBC8EFDF5.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\1lm0emb4.cmdline" 10341000x80000000000000008859Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.801{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008858Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008857Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008856Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008855Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008854Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008853Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008852Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008851Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008850Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008849Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008848Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008847Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-626D-5FDA-8303-000000009A01}43082672C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c1edb|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c19a9|UNKNOWN(00007FFEB841B68F) 154100x80000000000000008846Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.699{84BF0721-626E-5FDA-8803-000000009A01}5076C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\ADMINI~1\AppData\Local\Temp\1lm0emb4.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 11241100x80000000000000008845Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.692{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1lm0emb4.cmdline2020-12-16 19:39:26.692 11241100x80000000000000008844Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:26.692{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\1lm0emb4.dll2020-12-16 19:39:26.692 10341000x80000000000000008843Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.567{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626E-5FDA-8703-000000009A01}4320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008842Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.551{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626E-5FDA-8703-000000009A01}4320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008841Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.551{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-626E-5FDA-8703-000000009A01}4320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008840Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.254{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626E-5FDA-8603-000000009A01}3140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008839Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.239{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626E-5FDA-8603-000000009A01}3140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008838Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.239{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-626E-5FDA-8603-000000009A01}3140C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008837Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008836Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008835Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:26.192{84BF0721-5EFE-5FDA-0B00-000000009A01}860988C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008947Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:27.864{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\23ev0a4v\23ev0a4v.dll2020-12-16 19:39:27.786 10341000x80000000000000008946Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626F-5FDA-8E03-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008945Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008944Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008943Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008942Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008941Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008940Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008939Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008938Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008937Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008936Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626F-5FDA-8E03-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008935Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-626F-5FDA-8D03-000000009A01}15883220C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{84BF0721-626F-5FDA-8E03-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b181|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3d58|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3ed0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3fa6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+274e|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27a0|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+28e4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7e38f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45d22|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+448ef|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+445e6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+44303|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18321|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+17b76|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+9e0d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1edf02|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008934Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.864{84BF0721-626F-5FDA-8E03-000000009A01}3852C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe12.00.52519.0 built by: VSWINSERVICINGMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES8BA6.tmp" "c:\Users\Administrator\AppData\Local\Temp\23ev0a4v\CSCC8A0A69CB7084790A9B367EA581D867.TMP"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=33BB8BE0B4F547324D93D5D2725CAC3D,SHA256=54315FD2B69C678EB7D8C145F683C15F41FA9F7B9ABF7BF978667DF4158F43C3,IMPHASH=9A65E39CA38ADDAA7D4BB704AD0223FF{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\23ev0a4v\23ev0a4v.cmdline" 10341000x80000000000000008933Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008932Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008931Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008930Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008929Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008928Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008927Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008926Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008925Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008924Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008923Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008922Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+270222|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26fe9f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f9ee|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26f97a|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+26e48b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c242b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+7c18d9|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+b80|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\fec023c8de0ed58c816cd442e3b4ddfe\Microsoft.PowerShell.Commands.Utility.ni.dll+b80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e073bc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64) 154100x80000000000000008921Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.794{84BF0721-626F-5FDA-8D03-000000009A01}1588C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.7.2053.0 built by: NET47REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\23ev0a4v\23ev0a4v.cmdline"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=4360A98D8785625667D2574D2DD5C988,SHA256=F7DB25AA420C14C514690C1E943EC1E729596973E911B3445DFAD42FE958711D,IMPHASH=ED2AE001A3FDD84BDC04C99A98883A52{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 11241100x80000000000000008920Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.786{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\23ev0a4v\23ev0a4v.cmdline2020-12-16 19:39:27.786 11241100x80000000000000008919Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:27.786{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\23ev0a4v\23ev0a4v.dll2020-12-16 19:39:27.786 10341000x80000000000000008918Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626F-5FDA-8C03-000000009A01}2940C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008917Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008916Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008915Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008914Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008913Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008912Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008911Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008910Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008909Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008908Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626F-5FDA-8C03-000000009A01}2940C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008907Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.614{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626F-5FDA-8C03-000000009A01}2940C:\Windows\system32\whoami.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64) 154100x80000000000000008906Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.615{84BF0721-626F-5FDA-8C03-000000009A01}2940C:\Windows\System32\whoami.exe10.0.14393.0 (rs1_release.160715-1616)whoami - displays logged on user informationMicrosoft® Windows® Operating SystemMicrosoft Corporationwhoami.exe"C:\Windows\system32\whoami.exe"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=AA1E17EA3DB5CD9D8BC061CAEC74C6E8,SHA256=8ECFFCCE38D4EE87ABAEE6CBE843D94D4F8FB98FAB3C356C7F6B70E60B10F88A,IMPHASH=E24E330FA9663CE77F2031CACAEB3DF9{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 10341000x80000000000000008905Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626F-5FDA-8B03-000000009A01}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008904Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008903Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008902Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008901Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008900Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008899Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008898Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008897Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008896Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008895Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-626F-5FDA-8B03-000000009A01}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008894Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.598{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626F-5FDA-8B03-000000009A01}4596C:\Windows\system32\HOSTNAME.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3332f6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b5560|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b4f07|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+794258b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3879(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3415(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de3195(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de2e66(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+789474b(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64) 154100x80000000000000008893Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.600{84BF0721-626F-5FDA-8B03-000000009A01}4596C:\Windows\System32\HOSTNAME.EXE10.0.14393.0 (rs1_release.160715-1616)Hostname APPMicrosoft® Windows® Operating SystemMicrosoft Corporationhostname.exe"C:\Windows\system32\HOSTNAME.EXE"C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=1088BA1BF7CDDFF61ECC51BC0C02FDEF,SHA256=B8DA5A3AE4371E63DFD2F468E29CC23AA6F98A6A357A67955996F8F61E58FBA1,IMPHASH=D210D728CB9D45B4D1827BCE52F7EC6E{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 10341000x80000000000000008892Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+25d17|C:\Windows\system32\lsasrv.dll+26ded|C:\Windows\system32\lsasrv.dll+25b95|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008891Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.145{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6624|C:\Windows\System32\RPCRT4.dll+4a8bf|C:\Windows\system32\lsasrv.dll+25add|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x80000000000000008890Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.098{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_n543inir.n4m.ps12020-12-16 19:39:27.098 10341000x80000000000000008889Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.082{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008888Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008887Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008886Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008885Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008884Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008883Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008882Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008881Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008880Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008879Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008878Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008877Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.051{84BF0721-626D-5FDA-8303-000000009A01}43084224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|UNKNOWN(00007FFEB84F0F10) 154100x80000000000000008876Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:27.053{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA=C:\Users\Administrator\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{84BF0721-626D-5FDA-8303-000000009A01}4308C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -ExecutionPolicy Unrestricted -EncodedCommand JgBjAGgAYwBwAC4AYwBvAG0AIAA2ADUAMAAwADEAIAA+ACAAJABuAHUAbABsAAoAJABlAHgAZQBjAF8AdwByAGEAcABwAGUAcgBfAHMAdAByACAAPQAgACQAaQBuAHAAdQB0ACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcACgAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAgAD0AIAAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAF8AcwB0AHIALgBTAHAAbABpAHQAKABAACgAIgBgADAAYAAwAGAAMABgADAAIgApACwAIAAyACwAIABbAFMAdAByAGkAbgBnAFMAcABsAGkAdABPAHAAdABpAG8AbgBzAF0AOgA6AFIAZQBtAG8AdgBlAEUAbQBwAHQAeQBFAG4AdAByAGkAZQBzACkACgBJAGYAIAAoAC0AbgBvAHQAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwAuAEwAZQBuAGcAdABoACAALQBlAHEAIAAyACkAIAB7ACAAdABoAHIAbwB3ACAAIgBpAG4AdgBhAGwAaQBkACAAcABhAHkAbABvAGEAZAAiACAAfQAKAFMAZQB0AC0AVgBhAHIAaQBhAGIAbABlACAALQBOAGEAbQBlACAAagBzAG8AbgBfAHIAYQB3ACAALQBWAGEAbAB1AGUAIAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADEAXQAKACQAZQB4AGUAYwBfAHcAcgBhAHAAcABlAHIAIAA9ACAAWwBTAGMAcgBpAHAAdABCAGwAbwBjAGsAXQA6ADoAQwByAGUAYQB0AGUAKAAkAHMAcABsAGkAdABfAHAAYQByAHQAcwBbADAAXQApAAoAJgAkAGUAeABlAGMAXwB3AHIAYQBwAHAAZQByAA== 10341000x80000000000000008976Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6270-5FDA-9003-000000009A01}3672C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008975Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008974Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008973Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008972Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008971Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008970Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008969Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008968Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008967Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008966Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6270-5FDA-9003-000000009A01}3672C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008965Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-6270-5FDA-8F03-000000009A01}13322376C:\Windows\system32\cmd.exe{84BF0721-6270-5FDA-9003-000000009A01}3672C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8564|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008964Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.431{84BF0721-6270-5FDA-9003-000000009A01}3672C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet view /domain C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "net view /domain & net view" 10341000x80000000000000008963Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.426{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB83E6523) 10341000x80000000000000008962Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008961Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008960Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008959Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008958Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008957Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008956Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008955Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008954Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008953Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008952Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008951Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000008950Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.420{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "net view /domain & net view" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 11241100x80000000000000008949Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-16 19:39:22.020 11241100x80000000000000008948Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:28.411{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-16 19:39:22.020 11241100x80000000000000008977Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:31.582{84BF0721-626E-5FDA-8703-000000009A01}4320C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\10e0-0\System.dll2020-12-16 19:39:31.582 10341000x80000000000000008983Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6274-5FDA-9203-000000009A01}1004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008982Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.614{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6274-5FDA-9203-000000009A01}1004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008981Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.614{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6274-5FDA-9203-000000009A01}1004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000008980Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.254{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6274-5FDA-9103-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008979Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.239{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6274-5FDA-9103-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008978Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:32.239{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6274-5FDA-9103-000000009A01}4616C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000008996Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6275-5FDA-9303-000000009A01}2544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008995Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008994Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008993Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008992Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008991Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008990Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008989Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008988Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008987Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008986Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6275-5FDA-9303-000000009A01}2544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008985Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.786{84BF0721-6270-5FDA-8F03-000000009A01}13322376C:\Windows\system32\cmd.exe{84BF0721-6275-5FDA-9303-000000009A01}2544C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+c347|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000008984Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:33.794{84BF0721-6275-5FDA-9303-000000009A01}2544C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet view C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{84BF0721-6270-5FDA-8F03-000000009A01}1332C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "net view /domain & net view" 10341000x80000000000000009003Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.707{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6278-5FDA-9503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009002Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.692{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6278-5FDA-9503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009001Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.692{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6278-5FDA-9503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009000Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.489{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6278-5FDA-9403-000000009A01}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000008999Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.473{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6278-5FDA-9403-000000009A01}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000008998Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:36.473{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6278-5FDA-9403-000000009A01}2304C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000008997Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:36.192{84BF0721-6274-5FDA-9203-000000009A01}1004C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\3ec-0\System.Xml.dll2020-12-16 19:39:36.192 10341000x80000000000000009116Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9D03-000000009A01}4636C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009115Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009114Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009113Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009112Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009111Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009110Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009109Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009108Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009107Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009106Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9D03-000000009A01}4636C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009105Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627B-5FDA-9D03-000000009A01}4636C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009104Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.638{84BF0721-627B-5FDA-9D03-000000009A01}4636C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.2 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009103Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9C03-000000009A01}4200C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009102Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009101Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009100Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009099Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009098Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009097Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009096Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009095Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009094Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009093Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9C03-000000009A01}4200C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009092Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.614{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627B-5FDA-9C03-000000009A01}4200C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009091Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.615{84BF0721-627B-5FDA-9C03-000000009A01}4200C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.1 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009090Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.567{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009089Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.567{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB83E6523) 10341000x80000000000000009088Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009087Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009086Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009085Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009084Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009083Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009082Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009081Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009080Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009079Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009078Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000009077Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.565{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "for /l %%i in (1,1,254) do ping -n 1 -w 100 192.168.1.%%i" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 11241100x80000000000000009076Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-16 19:39:22.020 11241100x80000000000000009075Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.551{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-16 19:39:22.020 10341000x80000000000000009074Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9A03-000000009A01}1780C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009073Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009072Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009071Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009070Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009069Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009068Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009067Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009066Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009065Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009064Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9A03-000000009A01}1780C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009063Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.473{84BF0721-627B-5FDA-9903-000000009A01}46043996C:\Windows\system32\cmd.exe{84BF0721-627B-5FDA-9A03-000000009A01}1780C:\Windows\system32\nltest.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009062Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.476{84BF0721-627B-5FDA-9A03-000000009A01}1780C:\Windows\System32\nltest.exe10.0.14393.3986 (rs1_release.201002-1707)Microsoft® Logon Server Test UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationnltestrk.exenltest.exe /dclist:domain.local C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=4ADBAD5694EB3EBA955EC07D8C0D3078,SHA256=E683028BCFC99EFD1BE498359FB798A27505637C10951BD8D5CD91AD21981418,IMPHASH=4C049D80BB0FE7E8B0688666FFF88442{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "nltest.exe /dclist:domain.local" 10341000x80000000000000009061Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.395{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009060Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB83E6523) 10341000x80000000000000009059Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009058Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009057Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009056Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009055Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009054Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009053Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009052Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009051Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009050Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009049Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000009048Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.358{84BF0721-627B-5FDA-9903-000000009A01}4604C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "nltest.exe /dclist:domain.local" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 11241100x80000000000000009047Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-16 19:39:22.020 11241100x80000000000000009046Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.348{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-16 19:39:22.020 10341000x80000000000000009045Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9803-000000009A01}3140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009044Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009043Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009042Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009041Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009040Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009039Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009038Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009037Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009036Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009035Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9803-000000009A01}3140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009034Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.285{84BF0721-627B-5FDA-9703-000000009A01}34924504C:\Windows\system32\net.exe{84BF0721-627B-5FDA-9803-000000009A01}3140C:\Windows\system32\net1.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\net.exe+240f|C:\Windows\system32\net.exe+1883|C:\Windows\system32\net.exe+163b|C:\Windows\system32\net.exe+1375|C:\Windows\system32\net.exe+26fd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009033Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.290{84BF0721-627B-5FDA-9803-000000009A01}3140C:\Windows\System32\net1.exe10.0.14393.0 (rs1_release.160715-1616)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet1.exeC:\Windows\system32\net1 group "Domain Computers" /domain C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=946383ED00F5CD92DBCB7CDB878ED819,SHA256=E92A2FA67AD2F7367ABA1ABF237D245B5E36291C5A4A9F0FC04B3A0E32FF618E,IMPHASH=E2F26A4CA577CF6DBACE937727934F80{84BF0721-627B-5FDA-9703-000000009A01}3492C:\Windows\System32\net.exenet group "Domain Computers" /domain 10341000x80000000000000009032Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9703-000000009A01}3492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009031Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009030Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009029Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009028Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009027Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009026Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009025Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009024Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009023Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009022Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9703-000000009A01}3492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009021Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-627B-5FDA-9603-000000009A01}32321272C:\Windows\system32\cmd.exe{84BF0721-627B-5FDA-9703-000000009A01}3492C:\Windows\system32\net.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009020Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.280{84BF0721-627B-5FDA-9703-000000009A01}3492C:\Windows\System32\net.exe10.0.14393.2430 (rs1_release_inmarket_aim.180806-1810)Net CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationnet.exenet group "Domain Computers" /domain C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=C6B6DAA95CEA707F8D986D933E4A9596,SHA256=FDDC5F29F779A6EF73D70A2C551397FDEE63F549F2BCE4FE6A7AEEDC11F4F72E,IMPHASH=C41B15F592DE4589047CE5119CE87468{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "net group "Domain Computers" /domain" 10341000x80000000000000009019Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009018Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\system32\cmd.exe0x1f3fffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+3364bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3a5c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b42a7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b452d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\7e90080f26800b0f94f23eecd5dbab97\System.ni.dll+2b3ed3|UNKNOWN(00007FFEB83E6523) 10341000x80000000000000009017Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009016Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009015Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009014Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009013Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009012Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009011Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009010Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009009Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009008Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009007Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626F-5FDA-8A03-000000009A01}1723156C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\221211b0f1173771b1b65a7943b57a5c\Microsoft.PowerShell.Commands.Management.ni.dll+ff9aff9f(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de27a8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de261c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e64e48(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6ddb204(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+7894677(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6da39fc(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e01ecb(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de5530(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6de53c1(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6dd7346(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\f2e75c3c5abfc2c2cdb9a82b4cd032d5\System.Management.Automation.ni.dll+6e104d6(wow64) 154100x80000000000000009006Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.271{84BF0721-627B-5FDA-9603-000000009A01}3232C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" /c "net group "Domain Computers" /domain" C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -noninteractive -encodedcommand WwBDAG8AbgBzAG8AbABlAF0AOgA6AEkAbgBwAHUAdABFAG4AYwBvAGQAaQBuAGcAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFQAZQB4AHQALgBVAFQARgA4AEUAbgBjAG8AZABpAG4AZwAgACQAZgBhAGwAcwBlADsAIABJAG0AcABvAHIAdAAtAE0AbwBkAHUAbABlACAAIgBDADoAXABBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAFwAaQBuAHYAbwBrAGUALQBhAHQAbwBtAGkAYwByAGUAZAB0AGUAYQBtAFwASQBuAHYAbwBrAGUALQBBAHQAbwBtAGkAYwBSAGUAZABUAGUAYQBtAC4AcABzAGQAMQAiACAALQBGAG8AcgBjAGUACgBJAG4AdgBvAGsAZQAtAEEAdABvAG0AaQBjAFQAZQBzAHQAIAAiAFQAMQAwADEAOAAiACAALQBDAG8AbgBmAGkAcgBtADoAJABmAGEAbABzAGUAIAAtAFQAaQBtAGUAbwB1AHQAUwBlAGMAbwBuAGQAcwAgADMAMAAwACAALQBFAHgAZQBjAHUAdABpAG8AbgBMAG8AZwBQAGEAdABoACAAQwA6AFwAQQB0AG8AbQBpAGMAUgBlAGQAVABlAGEAbQBcAGEAdABjAF8AZQB4AGUAYwB1AHQAaQBvAG4ALgBjAHMAdgA= 11241100x80000000000000009005Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-err.txt2020-12-16 19:39:22.020 11241100x80000000000000009004Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.270{84BF0721-626F-5FDA-8A03-000000009A01}172C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\ADMINI~1\AppData\Local\Temp\art-out.txt2020-12-16 19:39:22.020 10341000x80000000000000009142Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.645{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627C-5FDA-9F03-000000009A01}4304C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009141Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009140Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009139Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009138Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009137Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009136Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009135Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009134Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009133Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009132Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627C-5FDA-9F03-000000009A01}4304C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009131Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627C-5FDA-9F03-000000009A01}4304C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009130Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.642{84BF0721-627C-5FDA-9F03-000000009A01}4304C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.4 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009129Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627C-5FDA-9E03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009128Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009127Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009126Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009125Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009124Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009123Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009122Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009121Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009120Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009119Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627C-5FDA-9E03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009118Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627C-5FDA-9E03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009117Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:40.140{84BF0721-627C-5FDA-9E03-000000009A01}2676C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.3 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009174Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.863{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-627D-5FDA-A203-000000009A01}3052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009173Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.848{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627D-5FDA-A203-000000009A01}3052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009172Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.848{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-627D-5FDA-A203-000000009A01}3052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009171Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627D-5FDA-A103-000000009A01}2868C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009170Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009169Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009168Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009167Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009166Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009165Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009164Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009163Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009162Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009161Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627D-5FDA-A103-000000009A01}2868C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009160Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627D-5FDA-A103-000000009A01}2868C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009159Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.640{84BF0721-627D-5FDA-A103-000000009A01}2868C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.6 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 22542200x80000000000000009158Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.613{84BF0721-5EFE-5FDA-0B00-000000009A01}860_ldap._tcp.dc._msdcs.domain.local.9003-C:\Windows\System32\lsass.exe 22542200x80000000000000009157Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:39.606{84BF0721-5EFE-5FDA-0B00-000000009A01}860_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.local.9003-C:\Windows\System32\lsass.exe 11241100x80000000000000009156Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:41.520{84BF0721-6278-5FDA-9503-000000009A01}4128C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\1020-0\System.Core.dll2020-12-16 19:39:41.520 10341000x80000000000000009155Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627D-5FDA-A003-000000009A01}4948C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009154Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009153Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009152Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009151Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009150Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009149Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009148Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009147Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009146Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009145Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627D-5FDA-A003-000000009A01}4948C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009144Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627D-5FDA-A003-000000009A01}4948C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009143Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:41.140{84BF0721-627D-5FDA-A003-000000009A01}4948C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.5 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009207Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627E-5FDA-A603-000000009A01}3020C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009206Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-627E-5FDA-A503-000000009A01}1416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009205Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009204Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009203Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009202Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009201Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009200Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009199Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009198Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009197Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009196Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627E-5FDA-A603-000000009A01}3020C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009195Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627E-5FDA-A603-000000009A01}3020C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009194Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.640{84BF0721-627E-5FDA-A603-000000009A01}3020C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.8 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009193Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.613{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-627E-5FDA-A503-000000009A01}1416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009192Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.613{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-627E-5FDA-A503-000000009A01}1416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009191Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.426{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-627E-5FDA-A403-000000009A01}2600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009190Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.410{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627E-5FDA-A403-000000009A01}2600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009189Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.410{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-627E-5FDA-A403-000000009A01}2600C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000009188Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:42.301{84BF0721-627D-5FDA-A203-000000009A01}3052C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\bec-0\System.Configuration.dll2020-12-16 19:39:42.301 10341000x80000000000000009187Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627E-5FDA-A303-000000009A01}5044C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009186Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009185Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009184Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009183Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009182Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009181Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009180Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009179Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009178Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009177Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627E-5FDA-A303-000000009A01}5044C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009176Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627E-5FDA-A303-000000009A01}5044C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009175Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:42.139{84BF0721-627E-5FDA-A303-000000009A01}5044C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.7 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009237Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627F-5FDA-A903-000000009A01}1332C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009236Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009235Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009234Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009233Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009232Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009231Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009230Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009229Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009228Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009227Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-627F-5FDA-A903-000000009A01}1332C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009226Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627F-5FDA-A903-000000009A01}1332C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009225Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.660{84BF0721-627F-5FDA-A903-000000009A01}1332C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.10 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009224Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.473{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-627F-5FDA-A803-000000009A01}3188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009223Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.457{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627F-5FDA-A803-000000009A01}3188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009222Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.457{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-627F-5FDA-A803-000000009A01}3188C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 11241100x80000000000000009221Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:43.363{84BF0721-627E-5FDA-A503-000000009A01}1416C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\588-0\System.Drawing.dll2020-12-16 19:39:43.363 10341000x80000000000000009220Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-627F-5FDA-A703-000000009A01}1340C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009219Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009218Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009217Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009216Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009215Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009214Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009213Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009212Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009211Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009210Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-627F-5FDA-A703-000000009A01}1340C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009209Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-627F-5FDA-A703-000000009A01}1340C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009208Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:43.139{84BF0721-627F-5FDA-A703-000000009A01}1340C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.9 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009266Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6280-5FDA-AC03-000000009A01}3844C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009265Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009264Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009263Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009262Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009261Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009260Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009259Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009258Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009257Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009256Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6280-5FDA-AC03-000000009A01}3844C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009255Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6280-5FDA-AC03-000000009A01}3844C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009254Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.639{84BF0721-6280-5FDA-AC03-000000009A01}3844C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.12 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009253Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6280-5FDA-AB03-000000009A01}3996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009252Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.348{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6280-5FDA-AB03-000000009A01}3996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009251Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.348{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6280-5FDA-AB03-000000009A01}3996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009250Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6280-5FDA-AA03-000000009A01}4504C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009249Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009248Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009247Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009246Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009245Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009244Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009243Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009242Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009241Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009240Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6280-5FDA-AA03-000000009A01}4504C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009239Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6280-5FDA-AA03-000000009A01}4504C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009238Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:44.140{84BF0721-6280-5FDA-AA03-000000009A01}4504C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.11 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009292Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6281-5FDA-AE03-000000009A01}4864C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009291Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009290Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009289Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009288Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009287Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009286Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009285Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009284Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009283Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009282Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6281-5FDA-AE03-000000009A01}4864C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009281Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6281-5FDA-AE03-000000009A01}4864C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009280Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.639{84BF0721-6281-5FDA-AE03-000000009A01}4864C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.14 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009279Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6281-5FDA-AD03-000000009A01}4312C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009278Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009277Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009276Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009275Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009274Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009273Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009272Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009271Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009270Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009269Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6281-5FDA-AD03-000000009A01}4312C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009268Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6281-5FDA-AD03-000000009A01}4312C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009267Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:45.140{84BF0721-6281-5FDA-AD03-000000009A01}4312C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.13 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009321Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.910{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1e0a8|C:\Windows\system32\lsasrv.dll+1d2d1|C:\Windows\system32\lsasrv.dll+1bb00|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009320Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.910{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+11c6e|C:\Windows\system32\lsasrv.dll+1a4e6|C:\Windows\system32\lsasrv.dll+1ba8f|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009319Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.910{84BF0721-5EFE-5FDA-0B00-000000009A01}860592C:\Windows\system32\lsass.exe{84BF0721-5F00-5FDA-1400-000000009A01}1324C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\lsasrv.dll+1b05d|C:\Windows\system32\lsasrv.dll+2810b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009318Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6282-5FDA-B003-000000009A01}4800C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009317Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009316Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009315Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009314Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009313Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009312Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009311Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009310Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009309Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009308Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6282-5FDA-B003-000000009A01}4800C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009307Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6282-5FDA-B003-000000009A01}4800C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009306Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.639{84BF0721-6282-5FDA-B003-000000009A01}4800C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.16 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009305Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6282-5FDA-AF03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009304Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009303Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009302Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009301Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009300Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009299Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009298Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009297Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009296Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009295Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6282-5FDA-AF03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009294Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6282-5FDA-AF03-000000009A01}2676C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009293Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:46.139{84BF0721-6282-5FDA-AF03-000000009A01}2676C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.15 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 11241100x80000000000000009348Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:47.848{84BF0721-6280-5FDA-AB03-000000009A01}3996C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\f9c-0\System.Data.dll2020-12-16 19:39:47.848 10341000x80000000000000009347Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6283-5FDA-B203-000000009A01}4660C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009346Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009345Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009344Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009343Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009342Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009341Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009340Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009339Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009338Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009337Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6283-5FDA-B203-000000009A01}4660C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009336Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6283-5FDA-B203-000000009A01}4660C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009335Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.639{84BF0721-6283-5FDA-B203-000000009A01}4660C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.18 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009334Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6283-5FDA-B103-000000009A01}4668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009333Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009332Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009331Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009330Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009329Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009328Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009327Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009326Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009325Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009324Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6283-5FDA-B103-000000009A01}4668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009323Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6283-5FDA-B103-000000009A01}4668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009322Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:47.139{84BF0721-6283-5FDA-B103-000000009A01}4668C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.17 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009380Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.738{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6284-5FDA-B603-000000009A01}1212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009379Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.723{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6284-5FDA-B603-000000009A01}1212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009378Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.723{84BF0721-615C-5FDA-2C01-000000009A01}33322192C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6284-5FDA-B603-000000009A01}1212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+77e0d|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ae03(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c43d(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+c4ad(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60779(wow64)|C:\Windows\SYSTEM32\ntdll.dll+60744(wow64) 10341000x80000000000000009377Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6284-5FDA-B503-000000009A01}5080C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009376Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009375Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009374Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009373Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009372Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009371Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009370Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009369Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009368Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009367Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6284-5FDA-B503-000000009A01}5080C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009366Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6284-5FDA-B503-000000009A01}5080C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009365Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.640{84BF0721-6284-5FDA-B503-000000009A01}5080C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.20 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009364Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6284-5FDA-B403-000000009A01}884C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009363Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009362Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009361Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009360Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009359Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009358Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009357Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009356Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009355Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009354Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6284-5FDA-B403-000000009A01}884C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009353Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6284-5FDA-B403-000000009A01}884C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009352Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.139{84BF0721-6284-5FDA-B403-000000009A01}884C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.19 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009351Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.098{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-6284-5FDA-B303-000000009A01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009350Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.098{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6284-5FDA-B303-000000009A01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009349Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:48.082{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-6284-5FDA-B303-000000009A01}4204C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009406Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6285-5FDA-B803-000000009A01}4980C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009405Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009404Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009403Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009402Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009401Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009400Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009399Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009398Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009397Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009396Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6285-5FDA-B803-000000009A01}4980C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009395Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6285-5FDA-B803-000000009A01}4980C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009394Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.639{84BF0721-6285-5FDA-B803-000000009A01}4980C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.22 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009393Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6285-5FDA-B703-000000009A01}4172C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009392Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009391Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009390Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009389Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009388Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009387Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009386Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009385Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009384Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009383Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6285-5FDA-B703-000000009A01}4172C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009382Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6285-5FDA-B703-000000009A01}4172C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009381Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:49.140{84BF0721-6285-5FDA-B703-000000009A01}4172C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.21 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009459Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.988{84BF0721-6286-5FDA-BC03-000000009A01}31881556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009458Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6286-5FDA-BC03-000000009A01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009457Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009456Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009455Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009454Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009453Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009452Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009451Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009450Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009449Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009448Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6286-5FDA-BC03-000000009A01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009447Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.832{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6286-5FDA-BC03-000000009A01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009446Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.834{84BF0721-6286-5FDA-BC03-000000009A01}3188C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009445Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6286-5FDA-BB03-000000009A01}3744C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009444Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009443Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009442Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009441Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009440Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009439Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009438Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009437Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009436Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009435Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6286-5FDA-BB03-000000009A01}3744C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009434Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6286-5FDA-BB03-000000009A01}3744C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009433Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.640{84BF0721-6286-5FDA-BB03-000000009A01}3744C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.24 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009432Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6286-5FDA-BA03-000000009A01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009431Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009430Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009429Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009428Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009427Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009426Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009425Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009424Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009423Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009422Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6286-5FDA-BA03-000000009A01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009421Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.176{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6286-5FDA-BA03-000000009A01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009420Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.177{84BF0721-6286-5FDA-BA03-000000009A01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009419Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6286-5FDA-B903-000000009A01}4140C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009418Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009417Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009416Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009415Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009414Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009413Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009412Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009411Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009410Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009409Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-6286-5FDA-B903-000000009A01}4140C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009408Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6286-5FDA-B903-000000009A01}4140C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009407Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:50.139{84BF0721-6286-5FDA-B903-000000009A01}4140C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.23 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009498Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6287-5FDA-BF03-000000009A01}3204C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009497Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009496Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009495Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009494Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009493Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009492Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009491Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009490Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009489Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009488Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6287-5FDA-BF03-000000009A01}3204C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009487Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6287-5FDA-BF03-000000009A01}3204C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009486Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.639{84BF0721-6287-5FDA-BF03-000000009A01}3204C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.26 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009485Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6287-5FDA-BE03-000000009A01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009484Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009483Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009482Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009481Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009480Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009479Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009478Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009477Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009476Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009475Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-6287-5FDA-BE03-000000009A01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009474Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.410{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6287-5FDA-BE03-000000009A01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009473Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.413{84BF0721-6287-5FDA-BE03-000000009A01}3768C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009472Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6287-5FDA-BD03-000000009A01}3836C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009471Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009470Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009469Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009468Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009467Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009466Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009465Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009464Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009463Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009462Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6287-5FDA-BD03-000000009A01}3836C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009461Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6287-5FDA-BD03-000000009A01}3836C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009460Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:51.140{84BF0721-6287-5FDA-BD03-000000009A01}3836C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.25 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009538Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.848{84BF0721-6288-5FDA-C203-000000009A01}25922488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009537Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6288-5FDA-C203-000000009A01}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009536Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009535Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009534Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009533Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009532Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009531Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009530Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009529Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009528Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009527Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6288-5FDA-C203-000000009A01}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009526Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.691{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6288-5FDA-C203-000000009A01}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009525Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.694{84BF0721-6288-5FDA-C203-000000009A01}2592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009524Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6288-5FDA-C103-000000009A01}4432C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009523Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009522Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009521Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009520Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009519Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009518Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009517Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009516Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009515Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009514Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6288-5FDA-C103-000000009A01}4432C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009513Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6288-5FDA-C103-000000009A01}4432C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009512Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.639{84BF0721-6288-5FDA-C103-000000009A01}4432C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.28 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009511Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6288-5FDA-C003-000000009A01}4040C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009510Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009509Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009508Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009507Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009506Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009505Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009504Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009503Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009502Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009501Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6288-5FDA-C003-000000009A01}4040C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009500Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6288-5FDA-C003-000000009A01}4040C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009499Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:52.139{84BF0721-6288-5FDA-C003-000000009A01}4040C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.27 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009578Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6289-5FDA-C503-000000009A01}4376C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009577Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009576Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009575Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009574Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009573Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009572Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009571Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009570Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009569Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009568Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6289-5FDA-C503-000000009A01}4376C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009567Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6289-5FDA-C503-000000009A01}4376C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009566Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.639{84BF0721-6289-5FDA-C503-000000009A01}4376C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.30 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009565Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.504{84BF0721-6289-5FDA-C403-000000009A01}40244820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009564Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-6289-5FDA-C403-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009563Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009562Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009561Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009560Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009559Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009558Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009557Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009556Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009555Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009554Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-6289-5FDA-C403-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009553Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.363{84BF0721-5FA9-5FDA-B300-000000009A01}48404756C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{84BF0721-6289-5FDA-C403-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009552Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.365{84BF0721-6289-5FDA-C403-000000009A01}4024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{84BF0721-5EFE-5FDA-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{84BF0721-5FA9-5FDA-B300-000000009A01}4840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000009551Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.145{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-6289-5FDA-C303-000000009A01}668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009550Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009549Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009548Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009547Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009546Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009545Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009544Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009543Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009542Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009541Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-5EFD-5FDA-0500-000000009A01}6442252C:\Windows\system32\csrss.exe{84BF0721-6289-5FDA-C303-000000009A01}668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009540Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-6289-5FDA-C303-000000009A01}668C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009539Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:53.142{84BF0721-6289-5FDA-C303-000000009A01}668C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.29 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009608Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.863{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-628A-5FDA-C803-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5296|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+2d5ab|C:\Windows\System32\RPCRT4.dll+61b6a|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009607Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.848{84BF0721-5EFD-5FDA-0500-000000009A01}644660C:\Windows\system32\csrss.exe{84BF0721-628A-5FDA-C803-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009606Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.848{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-628A-5FDA-C803-000000009A01}4632C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009605Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-628A-5FDA-C703-000000009A01}3460C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009604Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009603Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009602Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009601Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009600Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009599Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009598Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009597Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009596Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009595Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-5EFD-5FDA-0500-000000009A01}6441172C:\Windows\system32\csrss.exe{84BF0721-628A-5FDA-C703-000000009A01}3460C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009594Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.629{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-628A-5FDA-C703-000000009A01}3460C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009593Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.639{84BF0721-628A-5FDA-C703-000000009A01}3460C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.32 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 11241100x80000000000000009592Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.localDLL2020-12-16 19:39:54.473{84BF0721-6284-5FDA-B603-000000009A01}1212C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\assembly\NativeImages_v4.0.30319_32\Temp\4bc-0\System.Windows.Forms.dll2020-12-16 19:39:54.473 10341000x80000000000000009591Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-626C-5FDA-8003-000000009A01}33444072C:\Windows\system32\conhost.exe{84BF0721-628A-5FDA-C603-000000009A01}3672C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009590Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009589Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009588Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009587Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009586Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009585Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009584Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009583Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009582Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009581Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-628A-5FDA-C603-000000009A01}3672C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009580Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.129{84BF0721-627B-5FDA-9B03-000000009A01}30682444C:\Windows\system32\cmd.exe{84BF0721-628A-5FDA-C603-000000009A01}3672C:\Windows\system32\PING.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+10aa0|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x80000000000000009579Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:54.140{84BF0721-628A-5FDA-C603-000000009A01}3672C:\Windows\System32\PING.EXE10.0.14393.0 (rs1_release.160715-1616)TCP/IP Ping CommandMicrosoft® Windows® Operating SystemMicrosoft Corporationping.exeping -n 1 -w 100 192.168.1.31 C:\Users\ADMINI~1\AppData\Local\Temp\ATTACKRANGE\Administrator{84BF0721-626C-5FDA-F64F-210000000000}0x214ff60HighMD5=7B647B55695ACE1E99158F79AB3AF51A,SHA256=ED7FA5B3CCBDD31A9E83F7C59F78AB5E2C83C7FEEDCC5F8B95948D11EBD7FF34,IMPHASH=5AAE2D3679223F82E19660D380B78FB5{84BF0721-627B-5FDA-9B03-000000009A01}3068C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" /c "for /l %i in (1,1,254) do ping -n 1 -w 100 192.168.1.%i" 10341000x80000000000000009667Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.988{84BF0721-5EFD-5FDA-0500-000000009A01}644760C:\Windows\system32\csrss.exe{84BF0721-628B-5FDA-CE03-000000009A01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x80000000000000009666Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.988{84BF0721-615C-5FDA-2C01-000000009A01}33322668C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe{84BF0721-628B-5FDA-CE03-000000009A01}4372C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a6d64|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+927a7|C:\Windows\SYSTEM32\ntdll.dll+c6c62|C:\Windows\SYSTEM32\ntdll.dll+77cae|C:\Windows\SYSTEM32\ntdll.dll+6f85c(wow64)|C:\Windows\System32\KERNELBASE.dll+d90a8(wow64)|C:\Windows\System32\KERNELBASE.dll+d7d7c(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b37e(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+73b7(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a4c6(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+a642(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+ad30(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+abce(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+af4a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+b1b4(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8f0a(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+8fe3(wow64)|C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvc.dll+9082(wow64) 10341000x80000000000000009665Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5FA9-5FDA-B700-000000009A01}39644892C:\Windows\system32\conhost.exe{84BF0721-628B-5FDA-CD03-000000009A01}2768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\SYSTEM32\ConhostV2.dll+5c07|C:\Windows\SYSTEM32\ConhostV2.dll+76ab|C:\Windows\SYSTEM32\ConhostV2.dll+a84c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009664Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009663Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009662Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009661Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009660Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009659Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009658Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009657Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\system32\svchost.exe{84BF0721-5F10-5FDA-3100-000000009A01}8C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a5a94|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+78693|C:\Windows\System32\RPCRT4.dll+d96bd|C:\Windows\System32\RPCRT4.dll+6145c|C:\Windows\System32\RPCRT4.dll+52964|C:\Windows\System32\RPCRT4.dll+5187d|C:\Windows\System32\RPCRT4.dll+5212b|C:\Windows\System32\RPCRT4.dll+2469c|C:\Windows\System32\RPCRT4.dll+24b1c|C:\Windows\System32\RPCRT4.dll+111bc|C:\Windows\System32\RPCRT4.dll+12a1b|C:\Windows\System32\RPCRT4.dll+1e12a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x80000000000000009656Microsoft-Windows-Sysmon/Operationalwin-dc-644.attackrange.local-2020-12-16 19:39:55.941{84BF0721-5EFF-5FDA-0C00-000000009A01}612712C:\Windows\syste